2

Here's a custom Google Sheet with script code:

var GAaccountsList = Analytics.Management.Accounts.list();
var upload = Analytics.Management.Uploads.uploadData('accountId', 'webPropertyId', 'customDataSourceId')

This code should run OK if https://www.googleapis.com/auth/analytics scope is provided.

But instead, it asks additionally for https://www.googleapis.com/auth/analytics.readonly that is excessive. enter image description here

Can this be fixed in Google Apps Script OAuth service?

Max Ostapenko
  • 536
  • 5
  • 15
  • This is pretty common pattern. Even in the Google API playground the read only scope gets added despite adding the read write scope. It's really nothing to worry about. – JSDBroughton Feb 03 '15 at 19:27
  • @Jonathon I don't agree, because users become alert when they see unnecessary scope requirements in OAuth popup. Because of that we have questions from our [users](https://chrome.google.com/webstore/detail/owox-bi-data-upload/fadfhkmoaodkbbejgapjpbimhfflecin?utm_source=permalink) and have to clarify why manage is not enough. – Max Ostapenko Feb 10 '15 at 07:22
  • https://code.google.com/p/google-apps-script-issues/issues/list . add a feature request there as this is currently expected behaviour across the spec and apps script. The read only scope is less 'invasive' than the first so the oauth request will be the same. Test it in the oauth playground. – JSDBroughton Feb 10 '15 at 07:29
  • @Jonathon Thanks, I submitted this as [a feature request](https://code.google.com/p/google-apps-script-issues/issues/detail?id=4784). – Max Ostapenko Feb 12 '15 at 18:27

1 Answers1

2

You can modify the OAuth scopes in the Manifest file. The manifest file is accessed in the GAS editor through the menu (View > Show Manifest File), then the manifest will appear in the file list as appscript.json. You can remove the Dependencies and oauthScopes sections from this file, then when your script tries to make Google calls it will get an error saying which scopes are required (in Stackdriver Logging). You can add scopes one at a time this way, but be sure each of your Google functions gets called or you may miss a scope.

Note that removing the Dependencies section might have other side-effects (such as removing access to Libraries). It was my experience that an excessive scope showed up in the Dependencies/enableAdvancedServices section, so I had to remove it from there and add the less-permissive scope to the oauthScopes section.

Reference: https://developers.google.com/apps-script/concepts/scopes

https://developers.google.com/identity/protocols/googlescopes

Google Oauth removing scopes from access

How to narrow down the auth/drive scope for a google apps script?

https://developers.google.com/apps-script/concepts/manifests

Bryan Blackford
  • 186
  • 2
  • 6
  • Thanks! It's a great new trick. BTW they fixed scopes in PROD regarding my question, so nothing should be defined manually in this particular case. – Max Ostapenko Dec 24 '18 at 15:24