Google App Script User Scope Approval for new scope-CodePudding

I've added the script.external_request scope to my GMail Add-on so that I can connect to and store information in a MySQL dB.

The scope was submitted and approved by Google OAuth and Marketplace SDK.

If I run the script in the editor from the HEAD deployment, I get the OAuth approval workflow and the script connects to the database.

In the deployed version I keep getting the following error:

You do not have permission to call Jdbc.getConnection. Required permissions: https://www.googleapis.com/auth/script.external_request

It seems to me that the end users are not getting a trigger to accept the new scope from the UI of the addon.

Is there a way to force the OAuth workflow re-authorization from the addon UI?

Or is there something else going on here?

ADDED INFO

I used Aaron's suggestion on the QuickStart to add a logging check to see if the required permissions are present. At least this will point to if this might be a red-herring.

    if (authInfo.getAuthorizationStatus() ==
    ScriptApp.AuthorizationStatus.REQUIRED) {
        Logger.log(`${user} - Missing required scope authorizations`)
    }else{
        Logger.log(`${user} - Required scope authorizations present`)
    }

Naturally in the 12hrs this has been present, no user has opened the app. So will have to report back later.

Also adding my appscript.json manifest

  "timeZone": "America/New_York",
  "runtimeVersion": "V8",
  "addOns": {
    "common": {
      "name": "GMailAddOn",
      "logoUrl": "https://lh3.googleusercontent.com/...",
      "layoutProperties": {
        "primaryColor": "#2772ed"
      },
      "useLocaleFromApp": true
    },
    "gmail": {
      "homepageTrigger": {
        "enabled": true,
        "runFunction": "initApp"
      }
    }
  },
  "exceptionLogging": "STACKDRIVER",
  "oauthScopes": [
    "https://www.googleapis.com/auth/gmail.addons.execute",
    "https://www.googleapis.com/auth/userinfo.email",
    "https://www.googleapis.com/auth/userinfo.profile",
    "https://www.googleapis.com/auth/script.send_mail",
    "https://www.googleapis.com/auth/script.locale",
    "https://www.googleapis.com/auth/script.scriptapp",
    "https://www.googleapis.com/auth/gmail.modify",
    "https://www.googleapis.com/auth/script.external_request"
  ],
  "urlFetchWhitelist": [
    "https://google.com/"
  ]
}

CodePudding user response：

So after a lot of hair pulling and digging, I believe I found the answer and it comes from a UI/UX issue with Google Marketplace SDK. When a new scope is added to already published Marketplace Addon on the Marketplace SDK App Configuration needs to be updated. I knew this and took care of it on 2/6 at about 2pm EST and hit save. Great, process done.... not so fast.

Errors continued in the logs through mid-day on 2/7 then stopped, but unfortunately so did new downloads volume from Marketplace, which is the trigger for the transaction. So I had no live transactions to monitor. Until 2/9, a new transaction posted and it was suddenly successful.

Because of the gap between working in the editor and not working in the deployment, my hypothesis is that there is an opaque, offline background process for Google Marketplace SDK to approve the new scopes for a published addon.

(MMQB: I probably could have been more thorough in my testing by uninstalling and reinstalling the app from test account to expose this gap, lesson learned)

Google's OAuth scope approval process is transparent as to when the new scope is pending or approved. Google Marketplace's is not. I never received any notification that an approval was pending or had been approved/rejected.

NB: Marketplace SDK approval is in addition to the OAuth scope approval and can't take place until the OAuth approval is complete.