In the scenario of scripts that need authentication to run (run as service account, locked down sharing settings, etc) is there a way to authenticate as a Google user via an HTTP tool like cURL, UrlFetchApp, or even PowerShell scripts from Windows Server environments?
You are going to have to do a little leg work on this one.
Firstly, when you publish your apps script, make sure to change the "who has access to the app" to something like "only myself".
Then you need to see what happens when you try to hit that URL from an external service without authenticating. There may be some help from the error codes you are likely to receive.
I imagine you can then use the following documents to Authenticate for Google Services IN GENERAL. Then you will most likely have to pass a sessionID or Accesskey of some sort. I only have a brief understanding of OAuth, but I do imagine that you may be able to set up a more permanent connection between your other server and your particular Google Apps Script.
I hope this helps.
Jacob
Related
First of all, sorry for my bad English :)
I am building a Gmail addon which integrates file uploading to an external website using their API. The API have an auth endpoint which uses plain authorization flow i.e. takes email and password of a user to authorize and return authorization token. That token is then used in the subsequent call of file uploading process.
My question is, it has been mentioned in gmail addon guide that an app should use oAuth when connecting to a third-party service. However, the related website's API do not have oAuth but use plain authorization flow. If I create a login form with email and password fields using the card service, would that be okay and approved by google to be listed in the addons directory? Creating oAuth on third party service is not in my hands
Thank you!
Q: would that be okay and approved?
My experience is that it is OK to use basic authentication (since a lot of APIs still use basic auth, it would be devastating if the use of API was prohibited), most likely you will be approved. However, if there ever be a version of the API that supports OAuth, please, migrate as soon as possible.
Caveats
You mentioned creating a login form in CardService - please, be aware that there are no "password"-style TextInputs, so all characters will be visible all the time + there isn't, as of yet, any support for input event, so you won't be able to emulate the behaviour easily.
If you are planning on storing the credentials, try to avoid using PropertiesService - it isn't considered a secure storage (though if credentials are to be entered only once, storing the token should be fine).
You will still be asked to implement the authorizationCheckFunction.
Here's what I'm trying to do:
Remotely execute a Google Apps Script function from an online automation service (Zoho Flow, similar in purpose to Zapier.)*
This function that I am remotely executing is to add gmail labels to everyone in an organization.
In order to do this, I've done the following:
Created a service account with domain-wide-delegation in the same GCP project associated with the function that adds gmail labels.
Used the OAuth2 library for Google Apps Script to perpetuate JWT authorization for that service account in my script.
Verified that function works with service account functionality for all users in a Google oragnization within google apps script
Deployed this script as an API Executable to enable remote execution
Created authtokens authorized with the mail scope for the Apps Script API (https://mail.google.com/), as well as an additional scope required by the OAuth2 library in my script. This is done in the google developer playground, using OAuth2.0 Client ID credentials that are authorized as a part of that same GCP project.
Successfully executed the function remotely using the Google Apps Script API with Postman
Now, in order to actually make this functionality official, I now have to replace postman and the google developer console with the actual client, which is this Zoho Flow platform for api connections and process automation.
In order to make the switch I've done the following;
Added the authorized redirect URl for the client (Zoho Flow) under the same credentials that are used for the Google Developer Playground:
Utilized the credentials found from the JSON representation of those credentials** for creating what's called a "connection" in this software, which is basically an easy-to-use OAuth2.0 connection with a nice front-end that can be used for accessing API data (this is the part where I create this connection):
Entered the same scope for this connection that were authorized in the google developer playground, as well as that additional scope (https://www.googleapis.com/auth/script.external_request) that the OAuth2.0 library for Google Apps Script uses:
Lo and behold, I get the error below when attempting to gain access to Google API data from a web application, and the scopes that are said to cause the error is every scope except for the mail scope: https://mail.google.com/. I've done additional testing to verify that every other scope that is a part of the google apps script API also create this error, not just this external scope for the OAuth2 library.
Support said it was likely an issue with my credential permissions; is my line of logic for this correct? If it is, then it is an issue with their software that I will have them pursue further.
Some additional testing has been done on the software (Zoho Flow) to confirm whether or not it is a software error or not: I'm not certain if the process defined in my answer is best practices, or even 100% correct (other users can speak to it,) but I've confirmed that the error I am seeing is likely an error with the client.
Here's why:
When authorizing for multiple scopes, I get the error seen at the end of my question:
When changing that connection to utilize only one of my scopes instead, like so:
The connection proceeds properly, and I can remotely execute functions that utilize only that one scope successfully. This does work for any one scope that I authorize. The only problem is, it's a rare occurrence that a script only requires one scope. While this I can get around this major bug, I cannot remotely execute my function that adds gmail labels to all users in an organization because it requires two scopes. This will be mentioned to the development team and it should be fixed soon.
I am building an application that consists of two strongly separated parts:
Backend server is running on AppEngine that access gsuite domain data using Google service account.
Spreadsheet plugin written with Apps Script, that is directly installed by the users.
Spreadsheet plugin should access backend server REST endpoint.
I want to implement authorization for the "Apps Script" -> "Backend Server" connection. The only information I found on this Make requests to services with OAuth
I don't want to implement my own user management and want to use the Google Accounts for authorization. As far as I understand the single way to do this is implement OAuth on the server side and then follow o.
I wonder if there a better approach or best practices to implement this?
Unfortunately, there isn't another mode of "authorisation" besides the one you've already mentioned/explored i.e OAuth.
What I would recommend as an alternate is to use JSON Web Tokens (JWTs).
Twilio's Authy uses it to create user registrations without any PIIs and JWTs in Google Apps Script should help you with that.
Hope this helps.
I would like to use GAS script as some sort of a web service. Basically, I would like to post some parameters and then using Drive service do some manipulations of Google Doc and all of this has to be done from backend, without use of browser. Now I have issue with authentication - When I deploy GAS as a Web App (Execute the app as user accessing the app, Anyone can access app), when trying to execute script via Http request, I get Google Login response (/accounts/ServiceLogin). Obviously user has to authenticate access. I was not able to find if we can apply OAtuh at that point. So my question is - What can be done to achieve this? Is there any mechanism that can be used to atuhenticate to GAS from a server side? Or am I forced to use browser with GAS?
You could have your own authentication check in the Apps Script code. You would have NO security settings with the publishing, but implement your own password check in the Apps Script code. You would set the publish "Execute the app as:" setting to ME, and the setting of "Who has access to the app:" to Anyone, even anonymous. That allows the app to be run by anyone with no authentication. Then create your own authentication by passing a password in the URL search string.
Even though putting a password in the URL search string is encrypted over a HTTPS connection, it's still considered "bad practice", because the search string could be stored in plain text in the browser history. But you aren't going to use a browser.
So, your Apps Script App would read a search string parameter from the URL, and either allow the script to be run or not. You would be implementing your own authentication system.
But you need to evaluate and decide what the security is on your server, or whatever server is sending the request. If you can send a HTTPS request to an Apps Script with a password in the URL search string, and it's not a security concern on your server, or whatever server is sending the HTTPS request, then you can consider that and make your decision.
If you want to get a response back from Apps Script to your server without anything opening up in the browser, use the Content Service:
Google Documentation - Content Service
I've created a Google App Script that handle 2 different OAuth connections.
1- Google itself to send mail on behalf of the user and access google docs (google api console used to get keys, secret)
2- gtraxapp wich is a timesheet cloud-based app. (Script is registered, got a key/secret, etc.)
The script is published as a web app. It works perfectly for my user.
When logged on a different user name, I can authorize Google OAuth without providing different key/secret, and emails will be sent from the actual user.
Problem happens with the 2nd app (gTrax).
Authorization seems to work. Running the function inside the script to authorize lead to a screen asking for permission, gtrax then appears in the account as a registered app (could revoke access if needed).
But, when running the app, I get a message saying I need permission to do this action (UrlFetchApp / simple get)
My question is :
Is this possible that I need to register each user to get a key/secret for everyone (and dealing with that in the script)...
Or do OAuth can be registered with 1 key/secret ?
In other word, are (should) key/secret linked to a single user or are they only a kind of RSA-like key pairs that, when verified, can be used to authorize any user.
My understanding is this. When you use built-in Apps Script functions, like MailApp.sendEmail, the Google Apps Script "environment" takes care for you to ask authorization for the user (1st time he access your app) and save and manage the oAuth tokens for you, so it all runs smoothly.
When you call an external service using UrlFetchApp, Apps Script oAuth authorization process works differently. The authorization is just a strange popup you get on the script editor, when you actually make the fetch call. It is not processed at "compile time" and asked before you run anything like the other services. But you also do this step only once.
The "gotcha" is that this different authorization process does not work when a user is running the app as a webapp. AFAIK it only works from the script editor itself or running directly from a spreadsheet.
If your users are just a known few, you could advise everybody to open the script editor (or a spreadsheet that contains it) and run an specific function that will just attempt the UrlFetchApp.fetch call so the popup shows up and they authorize it. Once this step is done, they can use the webapp normally. Apps Script will do the magic for you after that.
But if you plan to share this broadly, say at the Chrome Web Store, and don't want to ask every user to do this somewhat strange step, then you'll need to manage all the authorization process yourself. It means, you'll have to register your app with the third party service (if it's Google's, it's at the API Console), where you will receive a client id and a client secret. With those you'll have to place a "Authorize" submit button on your app html that will redirect the users to the 3rd party authorization url, providing the correct scope, etc. When they authorize it, the 3rd party will redirect the user back to your app providing a code token as URL parameter. You'll use this code to call the 3rd party oAuth service to get the real access and possibly refresh tokens that you'll have to use on your UrlFetch calls. You'll be responsible to save these tokens, refresh them when they expire and so on. Not a very simple procedure :-/
Oh, and although your app have only one id and secret, the tokens are per user. Which makes sense, since each call you do must be on behalf of a specific user and he *must* have authorized it.
I hope this helps.