v8 and other HTML service changes meant I had to make a few small changes to cGoa. The good news it’s easier to use than ever and supports a few new services too. It’s best to look at the service list on Github, as that’ll be kept up to date. Here’s a reminder of how to use it.

Once you’ve set up your credentials in the property store of choice (see one time settings later) for an example, there are just 3 steps. Here is the pattern for a 3 legged OAuth that needs user consent via a web page. This is the most complex type of OAuth.

How it works.

Oauth2 can be a maze of callbacks that are quite difficult to follow. With goa, you don’t need to bother with all of that as it’s taken care of automatically.

Step 1. Add a doGet() function to your app – whether or not it’s a web app and publish it. You can delete it later if your app is pure apps script.

You create a goa, which looks up the credentials for the name given (this will match with the name you used in the one time settings)

Step 2. Check to see if consent is needed. Goa manages refreshing tokens so if there is already one around from before, it won’t bother with the consent dialog.

What getConsent does is to create the consent dialog and link to the provider you are trying to authenticate to. Once that’s done it restarts the doGet(e). The e parameter this time tells it that the consent stage has already happened and how to discover what the result was. This is stored in the property store so future consent checks will first try to refresh any token it already knows about from previous times. That’s why the consent screen will generally only ever happen once.

Step 3. That’s it  – you should have the token available via goa. Every time you access it checks to ensure it hasn’t expired and gets a new one in the background if required.

You’ll want to close off the doGet now with some kind of message

Using the token

Unless you are actually creating a web app, you won’t need to bother with the doGet again. You’d just get it and use it like this in a server side app.

And that’s all there is to it.

One off function

Naturally, you have to go through the motions of creating an app with whichever provider you use. The format is pretty much standard across providers. Here’s a pattern to write those details to the property store. You can delete this function once you’ve run it.  Here’s an example of using the Linkedin API.


For more like this, see Oauth2 for Apps Script in a few lines of code.

Why not join our forum, follow the blog or follow me on Twitter to ensure you get updates when they are available.