4

I'm building a webapp with the Google Script engine. Te application uses the Sign in With Google button to log in, so I need a project with a Credential in the Google Cloud Platform which asks me to introduce a domain in the Authorized JavaScript Origin field. Domains of the kind xxx.googleusercontent.com used to work but now they appear to be forbidden. Google Cloud Platform Credentials

Since the app is hosted by Google Script platform, I've tried the URI https://script.google.com, but it does not work. It keeps on saying:

Not a valid origin for the client: https://n-lvkfgw4qjsttvut5eeun3inieub2bbse7ukpiti-0lu-script.googleusercontent.com has not been registered for client ID 577491057122-qlfn0853m85t0u7gsd4rr69rulghts54.apps.googleusercontent.com. Please go to https://console.developers.google.com/ and register this origin for your project's client ID." ​ error: "idpiframe_initialization_failed"

Does anybody know anything about this issue?

Rubén
  • 34,714
  • 9
  • 70
  • 166
Maat inspicasso
  • 61
  • 1
  • 2
  • Have you tried registering the link given in the error? 577491057122-qlfn0853m85t0u7gsd4rr69rulghts54.apps.googleusercontent.com. I know this sounds kind of dumb but I did a similar thing with dropbox and it worked. – Cooper Jun 12 '21 at 18:03
  • 577491057122-qlfn0853m85t0u7gsd4rr69rulghts54.apps.googleusercontent.com seems to be the client ID. The domain to register should be https://n-lvkfgw4qjsttvut5eeun3inieub2bbse7ukpiti-0lu-script.googleusercontent.com, shoudn't it? And how can I register that domain in the developer console? Anyway, they say, explicitely, that anything with googleusercontent.com is a forbidden domain. – Maat inspicasso Jun 13 '21 at 07:20
  • Possible duplicate: https://stackoverflow.com/q/56803054/1595451 – Rubén Feb 27 '22 at 17:23

1 Answers1

3

Answer:

There was a discussion about this on a bug reported on Google's Issue Tracker - this has become disallowed due to security concerns. There is, therefore, no current way to use an Apps Script Web App as a JavaScript origin at all.

More Information:

The bug report in question:

An investigation was conducted as there was seemingly no public information about the change. On March 31st 2021, a Googler eventually responded, explaining the reason for the change and closed the issue as intended behaviour:

Current policies for use of OAuth 2.0 require apps to use secure JavaScript origins and redirects on domains that you own. While the use of certain shared domains is allowed (e.g. Firebase apps running on *.web.app), the use of *.googleusercontent.com as OAuth origins or redirect URIs is blocked in order to ensure the security and privacy of user accounts.

Documentation has been updated at Redirect URI validation rules and JavaScript origin validation rules has been updated in order to reflect this:

Host domains cannot be “googleusercontent.com”.

Nimantha
  • 6,405
  • 6
  • 28
  • 69
Rafa Guillermo
  • 14,474
  • 3
  • 18
  • 54
  • Thank you very much for helping clarify the issue. So I understand that I can no longer use the "Sign in with Google" button with the Google Script web application, right? – Maat inspicasso Jun 14 '21 at 17:07
  • @Maatinspicasso Effectively, no. If you wish to identify the user to perform specific tasks you should instead use the Web App deployment options and built in methods. – Rafa Guillermo Jun 14 '21 at 17:29