Reputation: 25
How to authorize GAS web app to act on behalf of a user?
So I've spent last couple of months to create an Editor add-on and get it verified. It is now published as "Unlisted", however, I can't get some crucial elements to work. Hopefully somebody can help to solve this.
Current situation
In short, my add-on has a Web App deployment used to integrate with Telegram bot. It is presumed that whatever information user sends to a bot, then gets processed and reflected in a spreadsheet in some way.
It was working flawlessly in a contained version of a script before I decided to make it into a stand-alone add-on; however, now it won't really work when other users try to use it. I presume that is because my Web App is executed as "Me" (script owner), and "me" doesn't have access to the end users' spreadsheets (as it should be). So, the integration works nice until it's time to perform SpreadsheetApp.openById(sheetId) - then it falls with an error:
Exception: You do not have permission to access the requested document.
Solutions that don't work for me
- Asking a user to share the sheet: I plan to open this script for a free usage at some point. I would like to preserve the users' privacy. It doesn't feel right to ask them to share their spreadsheets with me; however, perhaps if I could make it work from a service account, this request could be acceptable.
- Execute as "User accessing the web app": Doesn't work because Telegram has anonymous access to the Web App. While the only way to provide anonymous access is to use "Access as me" instead of "Access as user".
Possible solution
For the app's development I use clasp - a tool that helps to integrate local IDE with GAS. And this tool required authorization, which it requests by generating a link like this:
https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fscript.deployments%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fscript.projects%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fscript.webapp.deploy%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.file%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fservice.management%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Flogging.read%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform&response_type=code&client_id=XXXXXXXXXXXX&redirect_uri=http%3A%2F%2Flocalhost%3A54470
By following this link, I end up on the oAuth screen, where I choose my account and give access to this app to act on my behalf. I believe it uses the ID from the Credentials screen, and I figured if I could generate a link like this for my Web App and give it to a used to perform authorization, then the system could work.
Now, it's only a matter of understanding how to create such a link, what ID to use, and how to make sure that my Web App is launched with the authorization provided.
Perhaps there are other solutions too? Service account? I'm very open to ideas.
PS: I know this has been answered in one way or another; but I was unable to find a case that would explain how to achieve the result in my setup (which is pure GAS, web app and a Telegram bot hooked up to it). Being a beginner developer, I was unable to fit those recommendations to my case. I would appreciate any advise!
Upvotes: 1
Views: 282
Answers (1)
Reputation: 50472
Service account flow:
You can provide a menu asking for authorization, which when done, would share the current sheet to your service account's email. You can then use the service account credentials to access the sheet through sheets api. Do take special care to avoid leaking of the credentials.
Samples:
Access token storing:
Access tokens will expire every hour, but you can use installed triggers to store the token retrieved from ScriptApp.getOAuthToken to script properties. This can then be retrieved from anonymous web app executions, as they share script properties. However, I believe this opens up multiple attack scenarios and I wouldn't recommend this from a security perspective.
Upvotes: 2
Related Questions
- How to create a file in memory for user to download, but not through server?
- How to use Google Oauth2.0 to authenticate user via Telegram Bot
- User access request when GAS run as the user
- How to Properly Configure GAS Web App (as another user) to Execute GAS API Executable (as me) using OAuth2?
- PHP Yii2 : Erratic behaviour of Google OAuth2 client library
- Google app script web app, how to create a login button?
- invalid_client error when authenticating with omniauth to Google services