2

Background:

This is about using a Gmail Addon created using Google App Script. When the user installs the addon, there is the OAuth Consent Screen where user provides his consent to allow the "Product name shown to users" (as configured in the OAuth Screen) to allow the access specified.

Now, I read : https://developers.google.com/identity/protocols/CrossClientAuth

which states :

When a user grants access to your app for a particular scope, the user is looking at the user consent screen, which includes project-level product branding that you set up in the Google API Console. (For information about setting up the consent screen, see Setting up OAuth 2.0 in the API Console help.) Therefore, Google considers that when a user has granted access to a particular scope to any client ID in a project, the grant indicates the user's trust in the whole application for that scope.

Now, I have a server web component (a lambda) (belonging to the same product) that needs access to the user's email same access that the user provided after installing the addon ("Authorized Access" button).

Question(s) :

Is there a way to have cross-client (a backend server and a gmail addon) in my case to have the backend to just get access to user's data without triggering additional (basically whatever the user has provided consent to)?

Note: Using an additional authorization screen triggered manually using the GAS OAuth library I was able to get the "Auth Code" which I pass to the server using which the server now has access to the consented data (we have used the same client id and secret). However, the problem with this approach is :

  • User gets 2 emails about the permissions granted. Addon and Manually triggered flow.
  • User has to authorize the gmail addons for first access and then another which I trigger manually. Even if there was a way I could get the "Auth Code" when the user installs the addon that would also do.

Apologize in advance there is a lot of scattered documentation and though I went through many it is likely I may have missed something.

Curious Explorer
  • 357
  • 2
  • 14

1 Answers1

0

We only issue one authorization code (refresh token) in exchange for one user authorization/approval. Your app can get new access tokens on android or web without a user approval. But if it needs a refresh token again, user still need to approve the request. So if the addon can talk to your server, you could give it a short lived access token or will need to user authorization.

nvnagr
  • 2,017
  • 1
  • 14
  • 11