0

When attempting to use Google federated authentication login button for a Google webapp, error message identified mismatch with related URI and javascript host domains. Solutions, as in this 2019 post (Get gmail address using Google Apps Script, Error: redirect_uri_mismatch) weren't working for me.

I then found this recent article: What is the Authorized Javascript Origin for a webapp powered by Google Script?

I understand it to say that, due to recent actions by Google, it is no longer possible to use the Google authenticator for a Google webapp because redirect URI and javascript origin host domains "cannot be googleusercontent.com”, which is the host domain for Google webapps.

So, my question duplicates earlier posts (i.e., 2019) but in new circumstances. The conclusion of the recent post I've cited seems so radical to me that I'm seeking confirmation, or explanation of how I am misunderstanding it.

As background: I need the webapp to operate under the "(me)owner" account for connectivity to owner spreadsheets, but also need the user's Gmail address (required) for application access control (no other access to user Gmail account; users not all in a shared Workspace domain). Google login would provide the user Gmail address. So, before totally abandoning this solution, I hoping to get additional clarification.

TheMaster
  • 45,448
  • 6
  • 62
  • 85
DougMS
  • 45
  • 5

2 Answers2

1

According to the official docs, it's not possible to use Google Sign-In for Websites, and this post from the Google Apps Script Issue tracker Fail to Add *.googleusercontent.com into Authorized JavaScript origins as Google Apps Script uses googleusercontent.com

To achieve your goal, as I mentioned in your previous question, you might use the UrlFeth service to call the Google Sheets API to do the connectivity to your spreadsheet and setting the web app as the user instead as you.

From https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation
Domain Host TLDs (Top Level Domains) must belong to the public suffix list.
Host domains cannot be “googleusercontent.com”.
Redirect URIs cannot contain URL shortener domains (e.g. goo.gl) unless the app owns the domain. Furthermore, if an app that owns a shortener domain chooses to redirect to that domain, that redirect URI must either contain “/google-callback/” in its path or end with “/google-callback”.

Related

Rubén
  • 34,714
  • 9
  • 70
  • 166
  • 1
    Thank you again for your tremendous guidance on this problem. I hope others dealing with this issue will find this post and your responses. I am pursuing this method. Unfortunately, I am hung up on details regarding the OAuth 2 set up. I have posted another question with the specifics. I hope it conforms with SO guidelines. Thanks again. – DougMS Mar 02 '22 at 20:02
1

While true that you can no longer add googleusercontent.com, you may be able to solve this by using two webapps and managing authentication/authorization between the two:

  • Webapp#1:

    • Run as: Me
    • Access: Anyone even anonymous

  • Webapp#2:

    • Run as: User
    • Access: Anyone

You may be able to create a jwt token from webapp#2 and verify it on webapp#1. As it is a custom solution, security may be questionable.

References:

TheMaster
  • 45,448
  • 6
  • 62
  • 85
  • Thank you for looking at my question! I hope others see this solution works well for them. This option is even more outside my experience, however; so also considering your caveat about security, I'm going to pursue the URLFetchApp option, which I have some experience with. Thanks again. – DougMS Mar 02 '22 at 19:56
  • @DougMS What is the Urlfetch option? – TheMaster Mar 02 '22 at 20:00
  • In a previous question @Rubén outlined that approach, where the webapp runs under the user (so gives access to their Gmail) and URLFetch under the service account interacts with the owner's spreadsheets. He references that in his answer to this post. – DougMS Mar 02 '22 at 21:50