Skip to content

Instantly share code, notes, and snippets.

Created November 15, 2012 17:18
  • Star 27 You must be signed in to star a gist
  • Fork 9 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Google oAuth 2.0 sample
reference -
////handle all requests here
function doGet(e) {
var HTMLToOutput;
if(e.parameters.code){//if we get "code" as a parameter in, then this is a callback. we can make this more explicit
HTMLToOutput = '<html><h1>Finished with oAuth</h1></html>';
else if(isTokenValid()){//if we already have a valid token, go off and start working with data
HTMLToOutput = '<html><h1>Already have token</h1></html>';
else {//we are starting from scratch or resetting
return HtmlService.createHtmlOutput("<html><h1>Lets start with oAuth</h1><a href='"+getURLForAuthorization()+"'>click here to start</a></html>");
HTMLToOutput += getData();
return HtmlService.createHtmlOutput(HTMLToOutput);
//do meaningful google access here
function getData(){
var getDataURL = '';
var dataResponse = UrlFetchApp.fetch(getDataURL,getUrlFetchOptions()).getContentText();
return dataResponse;
////oAuth related code
//hardcoded here for easily tweaking this. should move this to ScriptProperties or better parameterize them
var AUTHORIZE_URL = ''; //step 1. we can actually start directly here if that is necessary
var TOKEN_URL = ''; //step 2. after we get the callback, go get token
var CLIENT_ID = '';
var REDIRECT_URL= ScriptApp.getService().getUrl();
//this is the user propety where we'll store the token, make sure this is unique across all user properties across all scripts
var tokenPropertyName = 'GOOGLE_OAUTH_TOKEN';
var baseURLPropertyName = 'GOOGLE_INSTANCE_URL';
//this is the URL where they'll authorize with
//may need to add a "scope" param here. like &scope=full for salesforce
//example scope for google -
function getURLForAuthorization(){
return AUTHORIZE_URL + '?response_type=code&client_id='+CLIENT_ID+'&redirect_uri='+REDIRECT_URL +
//Google requires POST, salesforce and slc worked with GET
function getAndStoreAccessToken(code){
var parameters = {
method : 'post',
payload : 'client_id='+CLIENT_ID+'&client_secret='+CLIENT_SECRET+'&grant_type=authorization_code&redirect_uri='+REDIRECT_URL+'&code=' + code
var response = UrlFetchApp.fetch(TOKEN_URL,parameters).getContentText();
var tokenResponse = JSON.parse(response);
//store the token for later retrival
UserProperties.setProperty(tokenPropertyName, tokenResponse.access_token);
//this may need to get tweaked per the API you are working with.
//for instance, SLC had content type of application/vnd.slc+json. SLC also allows lower case 'bearer'
function getUrlFetchOptions() {
var token = UserProperties.getProperty(tokenPropertyName);
return {
"contentType" : "application/json",
"headers" : {
"Authorization" : "Bearer " + token,
"Accept" : "application/json"
function isTokenValid() {
var token = UserProperties.getProperty(tokenPropertyName);
if(!token){ //if its empty or undefined
return false;
return true; //naive check
//if your API has a more fancy token checking mechanism, use it. for now we just check to see if there is a token.
var responseString;
responseString = UrlFetchApp.fetch(BASE_URI+'/api/rest/system/session/check',getUrlFetchOptions(token)).getContentText();
}catch(e){ //presumably an HTTP 401 will go here
return false;
var responseObject = JSON.parse(responseString);
return responseObject.authenticated;
return false;*/
Copy link

ghost commented Aug 7, 2013

Just a heads up:

When running this example on a domain, REDIRECT_URL= ScriptApp.getService().getUrl() returns a script URL that includes the domain. This is a different URL than the one returned in the web-app publishing console. Not sure why this inconsistency exists, but it caused me some trouble in trying to get this to work.

Ultimately had to hardcode the non-domain URL as the REDIRECT_URL value to get this working. Perhaps there's a programmatic way to correct for this...

Copy link

swaathi commented Jan 5, 2014

Hey Arun.

I was wondering why didn't you just use the UrlFetchApp.addOAuthService() function and all it's dependencies to achieve this? Do these functions work?

Also is there any tutorial on how to use the functions at to login to Facebook? The Twitter example here is pretty straight forward, but when I tried implementing it with Facebook, it didn't work out for me.

So could you help me out with authorizing Facebook with these functions such as addOAuthService() and setAuthorizationUrl() methods?


Copy link

michals commented Feb 22, 2014

can you provide usage example for doGet()?

Copy link

tmclnk commented May 21, 2014

@swaathi hopefully you got things squared away, but for anyone else who comes along, this example is for OAuth 2.0. If you try to connect to an OAuth 2.0 service with UrlFetch.addOAuthService in GAS you're likely to wind up angry and frustrated like these people.

Copy link

patwwh commented Jul 29, 2014

Hi Arun,
I start programming in Google Script after watching your video, and has developed an App. I want to further enabled its offline ability, so that user can use it in both online and offline. Could you help give a demo on authority issue for Drive App? There is too limited document about the authority and transition of Google Script to offline mode.

Copy link

@mclaughta update from Jan 9, 2015.

Google provided new library for oAuth 2.0.
You can find examples here:

Copy link

How to run it ?

Copy link

"doGet(e) runs when a user visits a web app or a program sends an HTTP GET request to a web app."

It appears to be a trigger and is found documented here:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment