I´m working on a Google Apps Script project (can be bound to a Spreadsheet or standalone) that will be deployed as webapp and I want to grant users access based on
- 1) Google Sign-In (some users will be granted access or some will be prevented from access) for some users and
- 2) username/password for the others.
1) Google Sign-In
I found it more tricky than I presumed. I expected existence of some simple functions/methods that can make it work like I want with Google guaranteed security level. What I found first was this: https://developers.google.com/identity/sign-in/web/. First it looked very simple, so I tried to implement this code: https://developers.google.com/identity/sign-in/web/build-button, but I´ve got stuck on step after filling content="YOUR_CLIENT_ID.apps.googleusercontent.com". I filled proper CLIENT_ID from Google Cloud Platform section Credentials and tried to sign in into my published project. I got this:
Error: redirect_uri_mismatch
The JavaScript origin in the request, https://n-__________________________________-script.googleusercontent.com, does not match the ones authorized for the OAuth client. Visit https://console.developers.google.com/apis/credentials/oauthclient/___________.apps.googleusercontent.com?project=_____ to update the authorized JavaScript origins.
So I copied the first link, then I put googleuser.comto Authorized domainsand then I pasted the link into Authorized JavaScript origins. But I wasn't allowed to save it and this popped out:
Error
You do not have permission to perform this action.
Tracking Number: c411401060
I don´t know why. A few months ago something similar wasn´t a problem. I suppose it has something to do with Google´s new restricted scopes policy. I tried to make it work for bound and standalone project with no difference in results. So finally (partially because of this schema: https://developers.google.com/identity/sign-in/web/server-side-flow) I came to the conclusion that the whole concept of Sign-In for Websites is not intended to be used in published Apps Script Project.
a) Am I wrong? If not, how can I make it work please?
b) Why I got the Error - Tracking Number: c411401060? Does anybody know?
So I continued looking for solution somewhere else. The most similar question I found is here Google app script web app, how to create a login button?. But it´s over three years old with not very satisfying answers (or I don´t understand them):
c) Do I really have to publish more than one project at the same time to grant access for some users with and for some without google account? Once a user is signed in, how can they be signed out? Isn´t there a simple way how to reliably check users ID or gmail?
d) Does somebody have working example of code? As a beginner I´ll apreciate example very much, because I bet that if there is a simple solution, I´ve already read about it, but i didn´t notice it´s what I need.
2) username/password
Although ten years old, I found useful to read this The definitive guide to form-based website authentication. Or at least I didn´t know better article where to start. Links appreciated.
My idea of how to make username/password login is that I´ll make a server side function called by user via google.script.run and the function will check validity of username and password. a) Is it safe? Now when the user is signed in, can I just let the webapp work? I mean user sent a username and password, so the app will just continue working with no other technique involved? b) Or will I make the app safer if after signing in I let some server side function generate a random string which will be sent to a client and serve as a token for a session?
Best practices, hints, codes, sources appreciated!
Thank you
