3

I developed a Google Sheets addon (sidebar), and now trying to put it to the Google Workspace Marketplace.

I'm a little lost with the OAuth scopes needed to be set as part of the user consent screen and/or app configuration screen (and/or other places?).

I got few questions:

1. What are the scopes I actually need to set

This is what add on do:

  • Reads all data in the spreadsheet, basically read access, to analyze references between formulas cells (Dependents and Precedents)

  • upon user approval (clicking a button each time) it will write results to a new sheet in the current worksheet.

  • In the case of internal error and upon user approval (clicking a button each time), addon sends email with the error details including stack trace and potentially additional parameters (spreadsheet and sheet(s) names.

  • logs are written during running for the purpose of debugging and flow improvements. Logs records might include some of the spreadsheet underlying data

I couldn't find any full list of scopes, but my understanding is I need at least:

https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/spreadsheets

2. Where scopes should be configured

I found at least 3 places holding scopes settings.

  • In the OAuth consent screen setup in the Google Cloud Platform console (API & Services -> OAuth consent screen)

  • #3 in the how to publish guide leads to the App Configuration screen in the Google Workspace marketplace SDK settings (see screenshot)enter image description here I couldn't find the way to reach this page accept as described (search for Google Workspace marketplace SDK in the console). Seems it is hidden somehow...don't really understand. This screen also have oAuth scope settings.

  • appscript.json file as described here. currently appscript.json doesn't have any scope references.

Kos
  • 4,890
  • 9
  • 38
  • 42
OJNSim
  • 736
  • 1
  • 6
  • 22

1 Answers1

1

To answer your questions...

Apps Script ends up automatically determining what scopes a script needs and they are added when a script is being run.

To check which ones have been added you should go to Overview in your Apps Script project and you will be able to find the list under the Project OAuth Scopes section:

project scopes

Therefore, if you had already run and authorized the script corresponding to the add-on, then the scopes needed will be added there.

As for a list of scopes, you can easily check this one here.

Since you are developing an editor add-on, there's no need to add the scopes to the manifest file too, unless you'd like to set explicit scopes. For instance, if you want more control over your add-on and make use of more restrictive scopes than the ones that has been automatically added, you should set it in the appsscript.json manifest file of the add-on.

Once you finish setting things up in the Apps Script side, you can start configuring the add-on using the Marketplace SDK.

Doing so will require you to provide a complete list of the OAuth scopes you have set in your Apps Script project. The OAuth scopes you enter here should match what you display in your OAuth consent screen and if applicable the ones in the appssccript.json manifest file.

Depending on the scopes you choose for the add-on and the add-on's visibility, you might consider taking a look at the OAuth API verification FAQs documentation too as

Some of the scopes used by the following APIs are considered sensitive; see the API’s documentation or look for the lock icon in the Cloud Console. If your app requests sensitive scopes, and doesn’t meet any of the criteria for an exception (see below), you will need to verify that your app follows the API Services User Data Policy.

Therefore, if your add-on is using any of the scopes listed here, you have to go through the verification process as well before publishing it publicly.

Reference

ale13
  • 5,679
  • 3
  • 10
  • 25
  • I have been reading most of the articles in the added links. I do see the scopes in the editor overview., so these are the _what_ scopes are needed. As for the _where_ I understand I need to add these scopes in the **Market SDK**, but what about the OAuth consent screen configuration in the cloud console? – OJNSim Oct 20 '21 at 07:44
  • You will have to add the scopes in the OAuth consent screen as well - this will be mostly to let the users know what scopes will the add-on require them to authorize. – ale13 Oct 20 '21 at 07:47
  • I'm am not sure I understand you last comment regarding the verification process. Should I do anything special for that? my understanding, once an app is being submitted for publication the _app review_ as well as _OAuth verification_ (if applicable) is performed as part of the process isn't it? – OJNSim Oct 20 '21 at 08:21
  • If your add-on uses any restricted scope, you will have to undergo a separate third party security assessment. This process is detailed [here](https://support.google.com/cloud/answer/9110914#restricted-scopes). – ale13 Oct 20 '21 at 09:02
  • Got it, my question though is whether all these 3 processes (when applicable) are part of the same single app submission one is doing. Meaning, once I will push the button, these processes will tale place if needed. right? – OJNSim Oct 20 '21 at 11:33
  • one more question is, my immediate need is actually to submit for the purpose of testing, by other users than me whom I have added as test users. Current publishing status is **Testing** and user type is **External**. Will these processes take place now, or only after submitting for "go public" (changing **Testing** status to **Publish**) – OJNSim Oct 20 '21 at 12:09