Proper and safe Sign-in (login) to Google Apps Script project deployed as web app

Question

I´m working on a Google Apps Script project (can be bound to a Spreadsheet or standalone) that will be deployed as webapp and I want to grant users access based on

• 1) Google Sign-In (some users will be granted access or some will be prevented from access) for some users and
• 2) username/password for the others.

---

1) Google Sign-In

I found it more tricky than I presumed. I expected existence of some simple functions/methods that can make it work like I want with Google guaranteed security level. What I found first was this: https://developers.google.com/identity/sign-in/web/. First it looked very simple, so I tried to implement this code: https://developers.google.com/identity/sign-in/web/build-button, but I´ve got stuck on step after filling content="YOUR_CLIENT_ID.apps.googleusercontent.com". I filled proper CLIENT_ID from Google Cloud Platform section Credentials and tried to sign in into my published project. I got this:

Error: redirect_uri_mismatch

The JavaScript origin in the request, https://n-__________________________________-script.googleusercontent.com, does not match the ones authorized for the OAuth client. Visit https://console.developers.google.com/apis/credentials/oauthclient/___________.apps.googleusercontent.com?project=_____ to update the authorized JavaScript origins.

So I copied the first link, then I put googleuser.comto Authorized domainsand then I pasted the link into Authorized JavaScript origins. But I wasn't allowed to save it and this popped out:

Error

You do not have permission to perform this action.

Tracking Number: c411401060

I don´t know why. A few months ago something similar wasn´t a problem. I suppose it has something to do with Google´s new restricted scopes policy. I tried to make it work for bound and standalone project with no difference in results. So finally (partially because of this schema: https://developers.google.com/identity/sign-in/web/server-side-flow) I came to the conclusion that the whole concept of Sign-In for Websites is not intended to be used in published Apps Script Project.

a) Am I wrong? If not, how can I make it work please?

b) Why I got the Error - Tracking Number: c411401060? Does anybody know?

So I continued looking for solution somewhere else. The most similar question I found is here Google app script web app, how to create a login button?. But it´s over three years old with not very satisfying answers (or I don´t understand them):

c) Do I really have to publish more than one project at the same time to grant access for some users with and for some without google account? Once a user is signed in, how can they be signed out? Isn´t there a simple way how to reliably check users ID or gmail?

d) Does somebody have working example of code? As a beginner I´ll apreciate example very much, because I bet that if there is a simple solution, I´ve already read about it, but i didn´t notice it´s what I need.

---

2) username/password

Although ten years old, I found useful to read this The definitive guide to form-based website authentication. Or at least I didn´t know better article where to start. Links appreciated.

My idea of how to make username/password login is that I´ll make a server side function called by user via google.script.run and the function will check validity of username and password. a) Is it safe? Now when the user is signed in, can I just let the webapp work? I mean user sent a username and password, so the app will just continue working with no other technique involved? b) Or will I make the app safer if after signing in I let some server side function generate a random string which will be sent to a client and serve as a token for a session?

---

Best practices, hints, codes, sources appreciated!

Thank you

Answer 1

May be I can give You answer for the first question .

1) Google Sign-In . Before you begin add this Google Oauth2 link

1B7FSrk5Zi6L1rSxxTDgDEUsPzlukDsi4KGuTMorsTQHhGBzBkMun4iDF

This will solve some login issues

You need to add a new OAuth 2.0 client ID apart from the default Apps Script ID in your cloud console also you should enable required APIs from the API consoles .

In App Script ID you can add this url https://script.google.com/oauthcallback

under Authorized callback urls

After this in your newly created oauth client you can add your script app url like this as redirect url

https://script.google.com/d/projectid/usercallback

After copy paste the client id and client secret of the newly created Oauth into your project .

Answer 2

Bitz Trail answer is unfortunately no longer valid. It is not longer possible to add the origin of a google WebApp in the "Authorized redirect URI" in the "OAuth 2.0 Client IDs"

see this link for more details. Why webapp can no longer use client side authentification

However, in the googleissue tracker, there was a mention of this repo with a full write-up on how to use the server side authentification

<sp...@easton-consulting.com> Jun 4, 2021 - For anyone still struggling with this I moved from client side authentication to a server side OAuth flow. Check out the repo @ https://github.com/googleworkspace/apps-script-oauth2 I launch the login page in a popup box so the flow feels natural to the user. ( check out window,open options ) The only downside is that after accepting the scopes the user is redirected back to the popup box which they have to close, but at least since the redirect is toward your script you can provide a really nice confirmation / on-boarding page.