7

I'm playing around with AppScript and try to get an oAuth 2.0 access token.

Any sample out there how to get this working in AppScript?

Volkmar Binder
  • 71
  • 1
  • 1
  • 2

3 Answers3

22

I am working on a cleaner tutorialized version of this, but here is a simple Gist that should give you some sample code on how things would work -

https://gist.github.com/4079885

It still lacks logout, error handling and the refresh_token capability, but at least you should be able to log in and call a oAuth 2 protected Google API (in this case its a profile API).

You can see it in action here -

https://script.google.com/macros/s/AKfycby3gHf7vlIsfOOa9C27z9kVE79DybcuJHtEnNZqT5G8LumszQG3/exec

The key is to use oAuth 2 Web Server flow. Take a look at getAndStoreAccessToken function in the gist to get the key details.

I hope to have this published in the next few weeks but hopefully this will help in the mean time.

UPDATE - adding in info on redirect_uri

The client secret is tied to specific redirect URIs that the authorization code is returned to.

You need to set that at - https://code.google.com/apis/console/

Redirect URI

The highlighted URI needs to match the published URI (ends in /exec). You get the published URI from the script editor under Publish -> Deploy as web app. Make sure you are saving new versions and publishing the new versions when you make changes (the published URI stays the same).

Published URI

Arun Nagarajan
  • 5,547
  • 1
  • 22
  • 19
  • Hi Arun, I've tested your sample, which looks good. But I get an error invalid redirect_uri. Any hint? – Volkmar Binder Nov 23 '12 at 19:17
  • 1
    I updated my answer above to include info on where to ensure your redirect_uri matches your keys. Hope that helps. – Arun Nagarajan Nov 24 '12 at 18:17
  • Hi Arun, Tranks for this great sample. I got it working and think I can move from there. – Volkmar Binder Nov 27 '12 at 05:27
  • @ArunNagarajan just wonder if we'll ever see thi issue fixed https://code.google.com/p/google-apps-script-issues/issues/detail?id=2580 – Edo Sep 18 '13 at 13:40
  • I'm copying paste your gist but I get `401. That’s an error. Error: invalid_client no application name` when i press 'click here to start'. Using your link works. Any ideas? – lalibi May 05 '14 at 19:54
  • @lalibi Late response. However, you are missing application name in user consent screen. – Nevermore Nov 10 '16 at 15:16
2

I've modified the example above to use the newish state token API and the CacheService instead of UserProperties, which is now deprecated. Using the state token API seems to make things a little more secure, as the callback url will stop accepting a state token after a timeout.

The same caveats apply. Your redirect URIs have to be added to your (script) project in the developer's console, meanwhile you have to yank the CLIENT_SECRET and CLIENT_ID from the console and paste them in. If you're working within a domain, there don't seem to be any guarantees on what URL will be returned by ScriptApp.getService().getUrl(), so I wound up basically having it get the address dynamically, then waiting for to fail on the the (second) redirect, and then hard-coded the resulting URI.

https://gist.github.com/mclaughta/2f4af6f14d6aeadb7611

Tom
  • 101
  • 2
  • 3
0

Note that you can build an OAuth2 flow using this new API, but it's not a complete sample yet: https://developers.google.com/apps-script/reference/script/script-app#newStateToken()

In particular, you should not pass 'state' directly to the /usercallback URL yourself, because the OAuth2 service provider is responsible for round-tripping the 'state' parameter. (Instead, you pass 'state' to the auth URL, and the service provider automatically attaches it to the callback URL.)

Steve Lieberman
  • 206
  • 1
  • 2