Issue when downgrading Drive access scope

[Faustino Rodriguez]

We did an update in a Sheets add-on, limiting Drive scope from auth/drive to auth/drive.file

- After publishing the add-on and updating the scopes in both GSM SDK configuration and GCP OAuth consent screen

- We got the Verification granted and the add-on published

- All looking good everywhere !!

BUT, now previous users that reauthorized the add-on new/limited scopes are getting a Google email alert that says:

"Some apps or services you allowed to access your Google Account have not been verified by Google. Since they have extensive access to your personal information, you should remove their access unless you trust them."

+ also, when they go to the Security Checkup (Take Action button), they still see the OLD full Drive access, along side the NEW limited scope, when they should only see the limited access drive.file scope

- See, edit, create, and delete all of your Google Drive files

- View and manage Google Drive files and folders that you have opened or created with this app

Plus the "Unverified developer" warning

In short

- Google is not updating the new authorized scopes on the client side 

- And also considering the add-on/developer as unverified

Does that happen before to anyone here?

New users are getting the new scopes without any problem, as expected.

p.s. I already asked about this issue to api-oauth-dev-verification@ (replying the verification granted message), but still waiting

See some screenshots below

 

[Eric Koleda]

Is this only happening for existing users that are approving the new scopes? I think what might be happening is that Google stores a record of all the scopes the user has approved for an application. If you request any new scopes, those are appended to the list. Requesting access to the new drive.file scope doesn't remove access to the drive scope. However, since your application is no longer approved for the full drive scope, it now shows these warnings.

What you might want to do is have a "relink" option in your application that first revokes the old token (removing all previously granted scopes) and then put the user into the OAuth flow for your new set of scopes. You can revoke a token programmatically using the process here:

https://developers.google.com/identity/protocols/OAuth2WebServer#tokenrevoke

- Eric

[Faustino Rodriguez]

Yes, it is only happening for existing users that are approving the new scopes

- Your explanation is most likely what is happening

- However, if that's the case, I believe that's a fundamental glitch in Google OAuth workflow

We have to set the scopes in three (3) places: the script manifest, the GSM SDK Configuration and the GCP OAuth consent screen

- And the scopes have to be the same in the three places, otherwise the verification is not granted neither the add-on published

- How is then possible that Google keeps a scope that is no longer authorized, nor included in either of those 3 places?

- That's a problem, isn't it?

I might not want to try your suggestion about revoking the OAuth token for the add-on users and bring them to the authorization workflow

- How would I know if the user has the old scope (/drive) or not?

- It would be a circular endless process, unless I ask to every user to check on his account and revoke if still there, etc

Otherwise, it is something that Google should fix

Could you please, help us, passing this issue internally to the appropriated team?

p.s. I still have not received an answer to my email to api-oauth-dev-verification@

[Eric Koleda]

I agree that this isn't a great situation, but it's also unclear what the fix would be. I'll raise the issue with the OAuth verification team, but I wouldn't expect an automated fix in the near term.

You can determine what scopes a given token has by using the /tokeninfo endpoint:

https://developers.google.com/apis-explorer/#p/oauth2/v2/oauth2.tokeninfo?access_token=TOKEN+HERE&_h=3&

This will only show you the scopes granted for that token, not all the scopes your application has been granted. If you find a user has the full drive scope, you revoke the token and put them back into the auth flow. You could also experiment with just leaving users with the full drive scope as-is, but that just kicks the can down the road until a future where you need to put them through an auth flow (to grant a new scope, etc).

- Eric

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/HhQfQDsbPN8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/8a660028-8cc1-4c93-a50c-f712aca236ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Faustino Rodriguez]

Thanks @Eric (never stop learning

I already managed to get the scopes granted for the current token and also to revoke the token if including the old/full drive scope

What I don't know how to do is "put them back into the auth flow"

- After revoking the token, I tried calling other script function to trigger the OAuth, but it just runs fine

How can I "put them back into the auth flow" after revoking the token?

Thanks, Fausto

[Eric Koleda]

I was thinking of a generic web app, and forgot this was an apps script forum :-P You may have to call ScriptApp.invalidateAuth() first to discard the current access token. Then the next time they run the add-on / web app it should put them in the auth flow.

--

You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/HhQfQDsbPN8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/e29ff7ce-0987-40f9-8ed1-bbf62022439a%40googlegroups.com.

[Faustino Rodriguez]

Great, easier that way

- I might have to include a warning message to improve the user experience, if I go this way

Otherwise,

- I got a reply back from api-oauth-dev-verification@

- They asked me to Submit again for verification

- But the "Submit for verification" in the GCP OAuth screen consent is disabled (grayed-out) because there is no change in the scopes

(I tried removing the drive.file and put it back, but it stays disabled)

May I forward you that email conversation, to see if you can bring some light to this matter?

[Edward Wu]

Has anyone else been experiencing "weirdness" with Apps Script executions and Execution Logs in the past few weeks?

I have a bunch of Google Apps Scripts connected to Sheets (i.e. not standalone) that do fairly simple things, like send emails with cell values, copying data from one Sheet to another, etc.

From maybe 3 weeks ago, the Executions log (I'm talking about the one where, from the Script Editor, you go to the View - Executions menu) will show Durations of either 0s or e.g. 208443.006s (I'm not exaggerating!) and Statuses of Unknown (for the 0s ones) or Running (for the crazy duration ones).

The Executions log will show this regardless of whether the scripts ran on a trigger or manually. And these are all scripts that have been running perfectly fine for at least a few months.

I've actually been ignoring this, since they all seem to run (and I figured that the problem is on Google's end), but in the past few days, I'm encountering a few scripts that *don't* appear to have run successfully on trigger, but run successfully manually, regardless of what the Execution window is showing.

So has anyone else experienced this? Is there anything *I* can do to fix this?

Ed

[Eric Koleda]

Hi Fausto,

Sure, feel free to forward me the details and I'll see what I can do.

- Eric

[Faustino Rodriguez]

Thanks @Eric for all your help !!

(Just sent it the whole conversation)

[Darren D'Mello]

I have experienced the same issues. I was told to resubmit for verification. 

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/94a38733-2579-4d83-85bb-743878f902b4%40googlegroups.com.

[Faustino Rodriguez]

I was told that too,

- But the "Submit for verification" in the GCP OAuth screen consent is disabled (grayed-out) because there is no change in the scopes

- Having the same scopes that were approved, keeps the Submit button disabled

How did you manage to get it active?

[Darren D'Mello]

Mine is still showing gray. I am awaiting response from oauth team... 

--

You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/24a7e66c-2702-4bc9-a3bf-837fd765f318%40googlegroups.com.

[Faustino Rodriguez]

Hi @Eric

I finally did as you suggested: detecting if the full auth/drive is included in the token and revoking it if that was the case, then suggesting the user to reload ...

The problem is that scope is not in the token:

- the tokenInfo.scope only has auth/drive.file, so I cannot revoke it

- BUT the user's security checkup keeps showing the risky access, the full drive scope and the unverified developer

- but the actual token does not include that full scope at all

Is there any chance that Google fix this critical issue ?

Please, Help!!

This is part of the code (pseudo) I am using

    var token = ScriptApp.getOAuthToken();
    var tokenInfoEndpoint = "https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=" + token;
    var response = UrlFetchApp.fetch(tokenInfoEndpoint).getContentText();
    var tokenInfo = JSON.parse(response);
    var scopes = tokenInfo.scope.split(" ");
   
    if (scopes.indexOf("https://www.googleapis.com/auth/drive") > -1) {
      showWarning("Authorization is required", message);
      ScriptApp.invalidateAuth();
    }

The scopes returning for this user are as follow (same as declared in the script manifest, GSM SDK and GCP Api consent screen

https://www.googleapis.com/auth/drive.file  

https://www.googleapis.com/auth/script.container.ui  

https://www.googleapis.com/auth/script.external_request  

https://www.googleapis.com/auth/spreadsheets.currentonly  

https://www.googleapis.com/auth/userinfo.email

[Faustino Rodriguez]

Hi @Eric

Any update on fixing this issue from Google side?

- considering it cannot be fixed from the developer side

- and the current requirement to downgrade from drive to drive.file

- this is becoming critical for us

I cannot measure the damage this issue is creating, but I guess a user that receives that kind of security warning from Google won't feel to comfortable using this add-on

[Eric Koleda]

Sorry for the delay, I haven't made any progress on this. Let me escalate this issue and see what we can find out.

- Eric

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/HhQfQDsbPN8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/421776cc-28fe-4f1e-b3a9-47507003aff8%40googlegroups.com.

[Eric Koleda]

While I wait to hear back from the OAuth team, one other possible workaround would be to try to access the user's root Drive folder and see if that succeeds. If it succeeds then they have the full drive scope, and if it fails then they don't.

- Eric

[Faustino Rodriguez]

Thanks @Eric for escalating this issue with the OAuth team

On trying "to access the user's root Drive folder", I believe that won't help

- As I have tested with a few users showing the risky access in the security checkup page

- The script OAuth token doesn't have the full drive access, just the drive.file

Also, accessing the user's root Drive folder with just drive.file don't throw any errors

- At least as I tested by listing the files under root

- It just returns any files there created by the app/user (or selected by the Picker;) or it returns empty if none of those

Thanks again

On Wednesday, June 19, 2019 at 10:11:05 AM UTC-4, Eric Koleda wrote:

While I wait to hear back from the OAuth team, one other possible workaround would be to try to access the user's root Drive folder and see if that succeeds. If it succeeds then they have the full drive scope, and if it fails then they don't.

- Eric

To unsubscribe from this group and all its topics, send an email to google-apps-script-community+unsub...@googlegroups.com.

[Robert Gagliano]

Hi Faustino, 

I have had the odd user complain of this also, but have never been able to determine the problem. I wonder what happens if we ask the end user to manually revoke the permission from https://myaccount.google.com/permissions then re-authorize the application again. In theory, this should invalidate / clear any old authorizations from Google side also. So, I wonder if it would still show the 'risky access' warning after this...

Regards

Robert

[Faustino Rodriguez]

If the user manually revoke/remove access either from permissions or from checkup third party, the issue will get fixed

- when the user reload the (add-on) script and reauthorize, there won't be any more warning in their account

- I can confirm that I have seen/done that with a few users already

- Also, that the actual OAuth token in the script only includes the drive.file scope

- It is somewhere else that Google is not updating the new authorized scopes, keeping the already invalid full drive scope in that list

I did an announcement and put a note in the page support about this issue, explaining that's the only way to remove that warning is removing access and reauthorizing again on next load

[Robert Gagliano]

Interesting. Thanks Faustino for sharing your experience. 

--

You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/HhQfQDsbPN8/unsubscribe.

To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-script-community.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/14493fc1-d3d1-4eb3-b089-a080935f0838%40googlegroups.com.