Skip to content

Instantly share code, notes, and snippets.

@tanaikech
Created May 23, 2018 06:56
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save tanaikech/608e65fee105989df1a7b645c20572c2 to your computer and use it in GitHub Desktop.
Remove Third-party Apps with Account Access using Google Apps Script

Remove Third-party Apps with Account Access using Google Apps Script

Overview

This is a method for removing Third-party Apps with Account Access using a script.

Demo

Description

When users create a script in a project and run the script, if the methods which are required to use scopes are included, users have to authorize to use the scopes using the browser. By authorizing it, users can use the script. The authorized projects can be seen at Third-party Apps with Account Access. One day, I had a situation that it required to remove the authorization of project, because of the security. Third-party Apps with Account Access can be manually removed as you know. But at that time, I wanted to remove using a script. So I came up with this method.

This method achieve to remove Third-party Apps with Account Access by revoking access token of the project. In document, according to the official Google's document, the access token retrieved by refresh token can be revoked. When the access token was revoked, both the access token and the refresh token are revoked. I thought that this might be able to be also used for the project of standalone type and the container-bound script type. So I have tried and could confirm that it worked.

Usage

It supposes that a project has already been created and the authorization has also already been done. Under this situation, run the following sample script.

function myFunction() {
  var url = "https://accounts.google.com/o/oauth2/revoke?token=" + ScriptApp.getOAuthToken();
  var res = UrlFetchApp.fetch(url);
  Logger.log(res.getResponseCode());
}

This sample script revokes the access token retrieved by ScriptApp.getOAuthToken(). I thought that ScriptApp.getOAuthToken() may retrieve the access token using a refresh token. If this access token was revoked, the refresh token is also revoked, and when the script is run again, the authorization is required again. My estimation was correct.

This is a sample script of Google Apps Script. But if you want to revoke it from outside of the script editor, for example, you can use the following curl sample.

curl https://accounts.google.com/o/oauth2/revoke?token=#####

References

If this information is useful for you, I'm glad.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment