5

I have create script backed by a Google Spreadsheet in Google Drive and published it as a web app, setting "Execute the app as: me" and "Who has access to the app: Anyone, even anonymous". The main page serves html content from the spreadsheet.

The basic functionalities are: a "random internet user" is able to see some informations, while an user logged with his Google Account is able to submit information as well.

The issues is - if I set the permission to "anyone" people are first redirected to the standard google login page, and once logged in have to accept the script permissions. Once that's done, navigating to the web app will give the "logged in user" version as long as you are logged in with your google account.

However - if the web app is set to allow "anonymous users" there doesn't seem to be any (at least obvious way) to allow anonymous users to login and accept the app permissions.

What I have tried until now:

  • a link to the url google redirects me to if I am not logged on if the web app require the user to be logged in. That works, but I feel it is not the right way and also, once logged in, there is no way to logout or to switch account; it seems that once you are logged in, you are logged in forever
  • to use https://developers.google.com/apps-script/reference/script/authorization-info#getAuthorizationUrl() to get the auth url - but I don't know how to use the url it returns (navigating the user to that page in the web app frame on the top frame both result in a blank page)

How can I get a login (and possibly a switch login) url to allow anonymous users to login in my web app?

Rubén
  • 29,320
  • 9
  • 61
  • 145
thedayofcondor
  • 3,835
  • 1
  • 18
  • 27
  • @BryanP I got it to work redirecting the user to the URL I get by changing the script permission so it is definitely possible. I am used to App Engine which gives you functionalities to create a login button, I feel getAuthorizationUrl() is the way to go but cannot get it to work – thedayofcondor Jan 21 '16 at 12:58

1 Answers1

1

Created sample code for 2 .gs web app projects: one - no auth, runs as owner, anonymous can access two - needs auth, runs as user, anyone can access

...as I have no idea what your "I got it to work redirecting the user to the URL" statement looks like in code.

The 1st file has a button with a click listener to act as the login button, but it's just calling for a window.top.location.href change. The 2nd app is using ScriptApp.invalidateAuth(); to log users out after being called from a client-side button click.

Demo - 1st web app url

I'd still vote to just offer a 2nd web app as a link that pops open in a new window though and as I note in the comment, the setup above forces users to re-authorize each time and after the signout.

Bryan P
  • 4,871
  • 3
  • 24
  • 43
  • 1
    On second thought, `invalidateAuth()` isn't likely what you want since it's a step further than logging out. You want to keep the auth and just log out of the session or switch accounts. Maybe some one else can clarify if the account management can be created by devs or whether it's a feature request – Bryan P Jan 25 '16 at 20:20
  • Yes, when "running as me" invalidateAuth() deauthorize the script for the script owner, not the user. Investigating further and implementing your solution, I realized it is either "run as me" in which case the script gets access to my protected spreadsheet or "run as the user" in which case I cannot read the spreadsheet at all. If I create create two separate web app, there seem no way to get them to talk to each other (except unauthenticated ajax calls) – thedayofcondor Jan 26 '16 at 15:48
  • Well if you stay within App Engine world, you could consider using the [Execution API](https://developers.google.com/apps-script/guides/rest/quickstart/js) to serve 1 app with 2 pages. 1 page for your anon viewers then the other to trigger login. The I guess `gapi.auth.signOut();` would be used to logout? – Bryan P Jan 26 '16 at 22:00
  • I thought about something like that - to use Google OAuth2 Javascript api, served by the "run as me" script. I was trying to avoid that because it sounds like a lot of work, and App Script Web Apps do not have access to cookies or headers, forcing me to pass the OAuth2 token through POSTs at every call (which in turns locks me from using ?> in my page) – thedayofcondor Jan 27 '16 at 12:21
  • Try the JavaScript example. Add a `signOut()` to it. Create a separate post for it here, if needed – Bryan P Jan 28 '16 at 08:04
  • changing `window.location.href` to `window.top.location.href` fixed all of the window echo behavior I was seeing before – Bryan P Feb 23 '16 at 12:39