Reputation: 133
How to narrow down the auth/drive scope for a google apps script?
I've built a google apps script web application. For Google Drive related features the application requires auth/drive.install (to integrate with Drive UI) and auth/drive.file (to store some data associated with a file in the related file properties) scopes. Other scopes are auth/urlshortener, auth/userinfo.email, and auth/userinfo.profile. The two latter are required for auth purposes, as far as I understand.
The above scopes are specified at oauth dance within the app. However, at app installation the following scopes are presented to a user:
- View and manage the files in your Google Drive (corresponds with
auth/drive scope) - Manage your goo.gl short URLs (
auth/urlshortener) - and three other that correspond with
auth/script_*scopes
This correlates with scopes from the script properties.
5 OAuth Scopes required by the script:
https: //www.googleapis.com/auth/drive
https: //www.googleapis.com/auth/script.external_request
https: //www.googleapis.com/auth/script.scriptapp
https: //www.googleapis.com/auth/script.storage
https: //www.googleapis.com/auth/urlshortener
Obviously, auth/drive and auth/urlshortner are added as a result of Advanced Google Services use, that are turned on in both GAS IDE (Resources > Advanced Google services) and Developer's Console.
GAS IDE doesn't allow specifying any scope narrower than e.g. auth/drive.
Google Apps Marketplace SDK configuration in Developer's Console doesn't allow to add any specific scopes for some reason. Actually, it allows adding but doesn't save any.
The problem:
Recently Google introduced a review procedure for OAuth clients requesting sensitive OAuth scopes and auth/drive is definitely a one of.
I do not need the entire auth/drive scope and also I do not want users seeing anything like this:
This app ins't verified
Is there a way to narrow down the drive scope via GAS IDE or Developer's Console?
The script itself doesn't employ any auth/script_* functionality. Those were added somehow implicitly since I employed node google apps script module for development. I don't need user's permission for those. How to get rid of that?
Any workarounds?
Upvotes: 3
Views: 2619
Answers (2)
Reputation: 6122
Chosen answer is great but didn't work in my use case : reading data from a spreadsheet. I found another solution:
https://developers.google.com/apps-script/guides/services/authorization#manual_authorization_scopes_for_sheets_docs_slides_and_forms
Put this at the top of your main script file (Code.gs or other):
/**
* @OnlyCurrentDoc
*/
You don't need to go into the manifest etc after this, but you can still put this in the manifest to keep a tight lid:
"oauthScopes": ["https://www.googleapis.com/auth/spreadsheets.currentonly"]
Why the oauthScopes - readonly way didn't work for me
My script was only reading data from the spreadsheet. I was using this function:
SpreadsheetApp.getActiveSpreadsheet()
When I put a read-only scope as advised in the chosen answer, I got an error on the app page saying that function can't work with a read-only scope, it needs full access. On top of that, when launching the app with a first time user, before the actual permissions-taking screen there's a scary danger page saying the app isn't verified yet by google and giving a blue "take me back to safety" button. That's sure to scare off most users! To get through, user has to click a small text link on lower left that isn't very intuitive. This same alert was there earlier too without the auth scoping; it still persisted because the app was still asking the user's permission to read ALL their google spreadsheets. (so basically the oauthScopes didn't solve my problem, and made my app error out)
But when I put those @OnlyCurrentDoc lines at top of the code instead of doing oauthScopes, then the script gave up on trying to get access to the user's everything, and now even the scary "unverified" page is gone. I just need to ensure that the user has read access to the original spreadsheet, and the app link works for them with a much less intrusive permission-ask : see this screenshot:
And it can't edit the original spreadsheet anyway, then, because the user's credentials have only read access to it.
Additional tip: Publish settings:
Execute the app as: User accessing the web app
Who has access to the app: Anyone
What that translates to: when a user visits the app's URL, they will need to use their own login credentials, not yours. And the app will work for them only if their account has been given access to the underlying data.
Upvotes: 2
Reputation: 321
Just dealing with this myself.
I found the following references from Google helpful https://developers.google.com/apps-script/concepts/scopes ("Setting explicit scopes" option) and https://developers.google.com/apps-script/concepts/manifests
Summary: You have to edit the appsscript.json manifest file. This isn't visible by default in your file list. Click on menu "View"->"Show manifest file" to make it so.
Then add a "oauthScopes" section to the manifest with an array containing the scopes you find under menu "File"->"Project properties" in the "Scopes" tab (of course make it a proper json array). Pare down the excess scopes and/or swap out for less permissive scopes (readonly instead of full access, etc).
Upvotes: 5
Related Questions
- Limiting OAuth scope for Google App Script
- How do I use the drive.file scope for a standalone google apps script
- Which are the right scopes to run request on Apps Script API
- Specifying Shared Drive Scope for Google Scripts
- How to narrow scopes for Google Apps Script to specific files
- How to use narrower Google Apps Script Authorization Scope when accessing file from own drive
- Google Apps Script restricted scopes
- Google Apps Script Wants Unrestricted Scope
- How to avoid Restricted Scopes OAuth verification process for private scripts used only by me?
- Excessive scope requirements in Google Apps Script