Authentication issues with apps script Web App

[SA]

I am in the process of developing a google apps script web app designed for school teachers and students. I have deployed a version of the web app with following settings:

Execute as: User accessing the web app

Who has access: Anyone with Google account

My intention is to make this app available to anyone with a google (gmail, or edu/org google account).

The app still has a Publishing status of 'Testing' in the 'OAuth consent screen' settings. I am trying to get a few users test this web app.

Users in my google domain all seem to be able go through the OAuth2 steps, and access it without issues.

Test users with @gmail.com accounts that I have added to the 'Test users' list in 'OAuth consent screen' settings are able to go through the OAuth2 steps, and access it without issues.

BUT, test users that I have added to the 'Test users' list in 'OAuth consent screen' settings that are google EDU domain accounts (not @gmail.com) can not seem to get past the OAuth2 steps they are presented with. I have two such users, from two different google EDU domains, and both have the same exact issue:

• Upon accessing the app URL, they are presented with a google sign in prompt. 
• User clicks on "Review Permissions" to open the OAuth flow in a popup.
• User chooses/confirms the google EDU account they wish to use to sign in.
• Everything normal upto the above step, but on the next screen, they see this message and there is no way to proceed:
  
    Something went wrong
    Sorry, something went wrong there. Try again.
  
  
  The url on the popup at this point starts with https://accounts.google.com/info/unknownerror?access_type=offline&login_hint=xxx

My questions:

• How do I resolve this issue?
• Is this issue specific to just the 'Testing' status, or might this still be an issue with the app when it is published?

Thanks!

SA

[Adam Morris]

Interesting little problem you have. Not sure why edu accounts would have special handling. From the sound of it, “something went wrong” it sounds like there’s a 500 error. So the issue is on google side. Your best bet would to engage the verification team or addon peeps. 

But I wonder if the problem has something to do with driveapp? Are you using it? What scopes does your script use?

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/8b387ef3-5028-4c42-a661-e85c6278897cn%40googlegroups.com.

--

http://classroomtechtools.com

[SA]

Yes - cought me completely off-guard when a couple of the users said they couldn't sign in.

The apps script uses these scopes:

    "https://www.googleapis.com/auth/drive",

    "https://www.googleapis.com/auth/script.external_request",

    "https://www.googleapis.com/auth/forms",

    "https://www.googleapis.com/auth/userinfo.email",

    "https://www.googleapis.com/auth/userinfo.profile"

[Alan Wells]

You could create a very basic web app with nothing more than the same publish settings,

the most minimal html possible, and just one scope.

Don't even add any code that uses the scope.

Publish it for public use instead of in Testing mode, and have your testers try to authorize it.

That would tell you if there is some kind of restriction in Testing mode.

If you make the web app very minimal so that has no capability to run sensitive code,

then there isn't any concern about making it public.

Make it so that it's harmless to open and authorize.

[dimud...@gmail.com]

Google Admins can control which apps or extensions users can install, so maybe your test users under an edu domain need to ask their Admin to grant them permission to install your app. 

[SA]

I've confirmed that it is a 500 error from the google endpoint https://accounts.google.com/_/signin/oauth?authuser=0&hl=en&_reqid=xxx

AJ - thanks for the tip - will have to try that.

dimud...@gmail.com: I see where an admin could whitelist marketplace apps - but mine's not in the marketplace. It does have a google cloud project ID though. Is there a place in domain admin where an admin could whitelist by GCP project ID?

[Andrew Roberts]

I see you are using Drive scope. If you've got an associated Google Cloud Project ensure the Drive API is enabled. 

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/ac33ff45-043c-40a6-b2b1-b0ee74fac431n%40googlegroups.com.

[SA]

AJ: thanks for this! The issue - at least with one of the two external EDU test users - was because the app was still in Testing status. After I published the app, one of the users can now complete the OAuth flow.

The other user can also now get past that step, but seems to be having a different issue that is not letting them complete the OAuth flow. Will post back here if I learn anything interesting out of that one.

The takeaway is: External EDU/domain (non-gmail) users cannot complete google OAuth on a Google Apps Script Web App while it is in Testing status, even though they are added to the list of Test Users in the 'OAuth consent screen' settings. You need to Publish the app!

[Alan Wells]

Good information to know.  Thanks for letting us know.

[Kim Nilsson]

A Workspace admin can limit access to Workspace services in Security / API Controls.

Then they have to specifically Trust your ClientID to allow users to complete the oauth.

But the error message looks very different from what you saw.

It's very obvious that the admin needs to allow the script, if such a restriction is in place.

Also, it's not specific for EDU, though very common for EDU admins to use the restriction setting.

[CBM Services]

Perhaps what might force a refresh of the display of these sheets is to hide the sheet do a flush then to show them and do a flush again.

Just throwing out suggestions.

---

From: 'Kim Nilsson' via Google Apps Script Community
Sent: ‎2021-‎03-‎20 3:55 AM
To: Google Apps Script Community
Subject: Re: [Apps-Script] Authentication issues with apps script Web App

--

You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/acbf59f6-ca68-4fd7-af21-754c334acc6fn%40googlegroups.com.