Wednesday, January 8, 2025

Granular OAuth consent in Google Apps Script IDE executions

What’s changing

Google offers a wide variety of APIs that Google Apps Script developers can use to build features for Google users. The data access that these APIs can reference is governed by the OAuth scopes of each Workspace application, which users are required to authorize before a script can run. Historically, the OAuth consent screen has asked the user to authorize all of the necessary OAuth scopes to run a given script. 

This screenshot shows the current OAuth consent screen, which requires the user to authenticate all or none of the requested OAuth scopes.
This screenshot shows the old OAuth consent screen, which requires the user to authenticate all or none of the requested OAuth scopes.


Starting today, the OAuth consent screen will now let users specify which individual OAuth scopes they would like to authorize. For example, if a script requests access to a user’s Sheets and Forms files, and the users only intends to use the script with Sheets files, they can decide to only allow access to their spreadsheets and not their forms. This affords users the benefit of more granular control over what data their 3P applications are allowed to access.

This screenshot shows the new OAuth consent screen, which lets the user provide consent for a subset of the requested OAuth scopes.
This screenshot shows the new OAuth consent screen, which lets the user provide consent for a subset of the requested OAuth scopes.


Additional details

To complement the release of this new consent flow, we’re also adding methods to the ScriptApp and AuthorizationInfo classes that let Apps Script developers programmatically interact with the scopes granted for a script. Refer to the developer documentation for more information.

After a user grants permission to a script, Apps Script might request OAuth consent again in the following cases: 
  • The user, who has granted consent to a subset of the requested OAuth scopes, tries to run a part of the script that was not previously authorized. 
  • The script is updated in such a way that it requires permission for additional scopes. 
  • The user revoked access to the script from their Google Account settings.
All past execution failures will be logged in the execution history. Each OAuth failure will contain a hyperlink that users can use to provide the permissions that were missing. 


Getting Started 

  • Admins: There is no admin control for this feature. 
  • Developers and end users: 
    • Granular OAuth consent is only available for scripts that have finished migrating to the V8 runtime. If you would like to utilize granular consent on one of the few remaining Rhino scripts, you can manually migrate to V8 by following these instructions.
    • This new consent screen will only be used for new OAuth scope grants. Pre-existing scope grants will not be affected, so no action is required by users on scripts they’ve already authorized. 
    • The new consent screen will be launched first to the Apps Script IDE (i.e. executing a script directly from Apps Script). The consent screen will launch to the remaining surfaces in the future: 
      • Google Ads Script
      • Macro executions 
      • Trigger executions 
      • Web app executions 
      • API Executions 
      • Chat apps
      • Add-ons 

Rollout pace 


Availability 

  • Available to all Google Workspace customers and Workspace Individual Subscribers

Resources