I’ve created a Google App Script that handle 2 different OAuth connections.
1- Google itself to send mail on behalf of the user and access google docs (google api console used to get keys, secret)
2- gtraxapp wich is a timesheet cloud-based app. (Script is registered, got a key/secret, etc.)
The script is published as a web app. It works perfectly for my user.
When logged on a different user name, I can authorize Google OAuth without providing different key/secret, and emails will be sent from the actual user.
Problem happens with the 2nd app (gTrax).
Authorization seems to work. Running the function inside the script to authorize lead to a screen asking for permission, gtrax then appears in the account as a registered app (could revoke access if needed).
But, when running the app, I get a message saying I need permission to do this action (UrlFetchApp / simple get)
My question is :
Is this possible that I need to register each user to get a key/secret for everyone (and dealing with that in the script)…
Or do OAuth can be registered with 1 key/secret ?
In other word, are (should) key/secret linked to a single user or are they only a kind of RSA-like key pairs that, when verified, can be used to authorize any user.
My understanding is this. When you use built-in Apps Script functions, like
MailApp.sendEmail, the Google Apps Script “environment” takes care for you to ask authorization for the user (1st time he access your app) and save and manage the oAuth tokens for you, so it all runs smoothly.When you call an external service using
UrlFetchApp, Apps Script oAuth authorization process works differently. The authorization is just a strange popup you get on the script editor, when you actually make thefetchcall. It is not processed at “compile time” and asked before you run anything like the other services. But you also do this step only once.The “gotcha” is that this different authorization process does not work when a user is running the app as a webapp. AFAIK it only works from the script editor itself or running directly from a spreadsheet.
If your users are just a known few, you could advise everybody to open the script editor (or a spreadsheet that contains it) and run an specific function that will just attempt the
UrlFetchApp.fetchcall so the popup shows up and they authorize it. Once this step is done, they can use the webapp normally. Apps Script will do the magic for you after that.But if you plan to share this broadly, say at the Chrome Web Store, and don’t want to ask every user to do this somewhat strange step, then you’ll need to manage all the authorization process yourself. It means, you’ll have to register your app with the third party service (if it’s Google’s, it’s at the API Console), where you will receive a
client idand aclient secret. With those you’ll have to place a “Authorize” submit button on your app html that will redirect the users to the 3rd party authorization url, providing the correct scope, etc. When they authorize it, the 3rd party will redirect the user back to your app providing acodetoken as URL parameter. You’ll use thiscodeto call the 3rd party oAuth service to get the realaccessand possiblyrefreshtokens that you’ll have to use on yourUrlFetchcalls. You’ll be responsible to save these tokens, refresh them when they expire and so on. Not a very simple procedure :-/Oh, and although your app have only one
idandsecret, the tokens are per user. Which makes sense, since each call you do must be on behalf of a specific user and he *must* have authorized it.I hope this helps.