1

I'm developing a desktop app that makes uses of Google Sheet API v4. Within the app's Project in the GCP console, the scopes for the OAuth consent screen are the following:

https://www.googleapis.com/auth/drive

https://www.googleapis.com/auth/spreadsheets

https://www.googleapis.com/auth/userinfo.email

I'm able to get an OAuth access token (plus a refresh token) from my desktop app via the authorization code flow. I can get the list of Spreadsheets and all their tab names, etc via cURL calls when I add the access token as a Authorization : Bearer {{token}} header.

Now, I have written a simple Google Apps Script that I associated with the desktop app's project in the GCP console using the "Resources > Cloud Platform Project" menu item. Then, I deployed the Apps Script as a Google Web App with the following settings within the "Publish > Deploy as web app" dialog:

Execute the app as: User accessing the web app

and

Who has access to the app: Anyone

The manifest for the Google Apps Script Web App contains the following for OAuth Scopes:

"oauthScopes": ["https://www.googleapis.com/auth/drive", "https://www.googleapis.com/auth/spreadsheets", "https://www.googleapis.com/auth/userinfo.email"]

Now, I figured that since the desktop app scopes are the same as the deployed Web App, the access token I retrieve from the initial authorization code flow would be enough to grant the end-user permission to access and use the Web App. However, when I test the Web App by making a call to it via cURL, I am met with a response that says:

Drive
You Need Permission
Want In? Ask for access, or switch to an account with permission. Learn more

You are signed in as end-user@sampledomain.com

Based on the You are signed in as... statement, the Web App permission screen does "know" the desktop app's end-user email address.

Is it possible to use the initial access token the end-user retrieved via my desktop app to successfully interface with the deployed Web App? Or, does the end-user need to authorize BOTH the desktop app (to retrieve the Drive Spreadsheet files, etc.) AND the Web App that queries and updates the sheet? I would prefer that the user NOT have to grant permission twice. Is it possible to have the user grant permission to ONLY the desktop app which would also grant permission to the Web App?

If the end user MUST grant permission to both the desktop app and the Web App, I'm not sure how to retrieve an access token from the Web App permission screen. If the end user grants access to the Web App explicitly, does that permission last forever for that particular user's email? I'm not certain we can use a OAuth authorization code flow for a deployed Web App.

Any insight or guidance is appreciated!

TheMaster
  • 45,448
  • 6
  • 62
  • 85
ariestav
  • 2,799
  • 4
  • 28
  • 56
  • Can I ask you about your situation? About the situation you tested, the account of client and the account of Web Apps are the same or different? If it's different, did you share the script of Web Apps with the account of client (user side)? – Tanaike Feb 03 '20 at 23:21
  • The account of the Web App is different because I did not want the permission screen to show the account of the desktop app. Should I share the App Script with the desktop account owner? – ariestav Feb 03 '20 at 23:22
  • 3
    Thank you for replying. Yes. When the accounts of client and Web Apps are different and you want to access to the Web Apps using a script to the Web Apps, it is required to share the GAS project of Web Apps to the client side. This specification was added at April 11, 2018. But if you make users access to each browser, the GAS project is not required to be shared, because in this case, the authorization process is run on the browser. – Tanaike Feb 03 '20 at 23:26
  • @Tanaike Thank you! I will give it a try and report back! – ariestav Feb 03 '20 at 23:27
  • 3
    [This information](https://github.com/tanaikech/taking-advantage-of-Web-Apps-with-google-apps-script#4-client-users-access-to-web-apps-using-curl-google-apps-script-and-so-on-which-dont-use-browser) might be useful for your situation. – Tanaike Feb 03 '20 at 23:28
  • @Tanaike okay, so I've run some tests. I shared the GAS project of Web Apps to the same owner of my desktop app, but that apparently does not work for all end-users who gain OAuth access token to my desktop app. I tested sharing the GAS project to a few end-users and the desktop app worked with the token it retrieves. Does this mean I have to literally share the GAS script to 1000+ end users that we have that use our desktop app? That seems a bit ridiculous — especially when "Anyone" is set to have access to the GAS project. – ariestav Feb 04 '20 at 15:16
  • Thank you for replying. Although I'm not sure about your actual test situation, when I tested for other account under the condition of `Execute the app as: User accessing the web app` and `Who has access to the app: Anyone`, in order to access to the Web Apps using a script, the GAS project was required to be shared. So it seems that the specification is not changed. I deeply apologize for the Google's specification. – Tanaike Feb 04 '20 at 22:19
  • @Tanaike that seems like overkill, especially if the GAS app is associated with a GCP project that already has a consent screen that defines scopes. Poor implementation on Google’s part. – ariestav Feb 04 '20 at 22:22
  • Although I'm not sure whether this is useful information, for example, if you want to make a file to the user's Google Drive without sharing the GAS project, it deploys Web Apps with the condition of `Execute the app as: Me` and `Who has access to the app: Anyone, even anonymous`. And when the user accesses to the Web Apps, the file is created and shared with the user as an owner. By this, the file is created to user's Google Drive. By the way, the simultaneous users for Web Apps is 30. https://stackoverflow.com/a/50033976/7108653 – Tanaike Feb 04 '20 at 22:35
  • @Tanaike there is no way I would allow end-users to access a Google Apps Script for a commercially available product. That would be devastating support if the end-user modified the GAS script in any way. We need complete control over the script's architecture and functions. It appears, though, that deploying as a API Executable makes it so that the actual GAS file does not need to be shared. I think this is the solution we'll work with for now. Thanks! – ariestav Feb 04 '20 at 23:34
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/207224/discussion-between-ariestav-and-tanaike). – ariestav Feb 05 '20 at 00:17
  • @ariestav did your issue get solved? – Iamblichus Feb 11 '20 at 10:35
  • 1
    Yes, thanks. I believe the way to do this is to publish / deploy the Apps Script as an "Execution API" instead of a "Web App". As an "Execution API" you do not have to grant access or "Share" the script with a user. The difference is that you have to call a specific function with a POST call using the auth token. – ariestav Feb 11 '20 at 14:43

0 Answers0