OAuth 2.0 Token Revocation

[Andrew Apell]

Can someone please explain this to me in the simplest way possible? https://tools.ietf.org/html/rfc7009

Google sent me that link neatly tied with this bow:

If you have exceeded or will exceed the active users threshold with your continued testing of listed accounts, we advise that you programmatically revoke your unused grants. This will reduce active users to the <60% threshold. (Please refer to this OAuth 2.0 Token Revocation documentation for guidance on managing credentials.)

More importantly, how do I implement this?

EDIT:

On a related matter... Google has now blocked my add-on from accepting new installations but they want me to send a video demonstrating "how to log into my project" etc.

This is highly confusing and frustrating. Is there a way I can get them to unlock it for me (as the developer) to fulfil these requirements???

[Dimu Designs]

See Revoking a Token.

Click the "OAuth 2.0 Endpoints" tab in the above link and you'll see the following endpoint listed:

"https://accounts.google.com/o/oauth2/revoke?token={token}"

You can send an HTTP GET request to that endpoint via UrlFetchApp.fetch() with a users access token as a URL variable to revoke their access to your add-on or web-app.

[Andrew Apell]

Gurus! I'm back to this issue.

I need to revoke an access token but cannot figure out how to get it in the first place.

Can any one throw me some pointers?

[Andrew Roberts]

ScriptApp.getOAuthToken()

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/1aaf4720-2dc0-4e83-872a-c47c212ca504n%40googlegroups.com.

[Andrew Apell]

Thanks Andrew.

For some reason I wrongly assumed every user had their own token... I will try this out.

[Andrew Roberts]

I think they do have their own token which is created when they've gone through the auth flow.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/00210384-1ae8-43ea-bffc-8c554dad9fcbn%40googlegroups.com.

[Adam Morris]

Hi everyone,

I’m not sure what the context is, but the standards document is written for the implementation of the revocation routines.

What the application developer needs to understand about the process is as follows:

* Users get some unique tokens, which will expire at some point in the future
* It might get expired either because of time limit or some other reason
* When they expire, a new token must be generated in order to work

In appscripts, that just means that as long as we use the API method already shared by Andrew, we can get the refreshed token (if the old one expired) or the old one if it is still valid. We aren’t meant to store it anywhere and reuse for later. We have to keep using that method everywhere we need it.

Hope that makes sense.