即使单击“允许”后，也会出现“执行该操作需要授权”消息

Question

我最近遇到了一个授权新的 Google App Script 项目的问题，特别是使用 Cloud SQL 管理 API 的项目。

相同的代码存在于之前授权的 GAS 项目中并且工作正常，但是如果我获取 GAS 项目的副本并尝试第一次运行某个函数，我将无法完成授权过程。下面列出了我正在经历的屏幕：

1. 需要授权。- 单击“查看权限”
2. 选择一个帐户来授权Google项目。- 点击我的帐户
3. 此应用程序未经验证！- 单击“转到项目（不安全）”
4. Google 项目想要访问此范围列表。- 单击“允许”
5. 执行该操作需要授权。

警告屏幕 (3) 是该过程中最近添加的内容。我不记得今年早些时候创建和运行新项目时遇到过它。我想知道 Google 最近是否对其 OAuth2.0 的安全实现进行了任何更改。

此外，此问题似乎仅影响对 Cloud SQL 管理 API 的 REST 调用。在上面提到的同一个项目中，我能够运行将数据写入同一 Google 项目中的 BigQuery 表的函数，该项目也托管 Cloud SQL 实例。显然，某些范围和代码可以工作。

“ https://www.googleapis.com/auth/sqlservice.admin ”范围包含在我请求并批准的范围列表中。我什至尝试手动编辑 URL 以添加更多请求的范围，但它仍然无法让我通过“执行该操作需要授权”屏幕。

有人有什么想法吗？

编辑：

触发身份验证的相关代码。

// Function to get the ip address of a given CloudSQL instance
function _getInstanceIpAddress_(projectId, sqlInstance) {

  var token = _getAuthenticationToken_();

  // Create the header authorisation  
  var headers = {
    "Authorization": "Bearer " + token
  };

  // Create the Cloud SQL instances get parameters
  var parameters = {
    "method": "get",    
    "headers": headers,
    "instance": sqlInstance,
    "project": projectId,
    "muteHttpExceptions": true
  };

  // Create the url of the sql instances get API    
  var api = "https://www.googleapis.com/sql/v1beta4/projects/" + projectId + "/instances/" + sqlInstance + "?fields=ipAddresses";   

  try {
    // Use the url fetch service to issue the https request and capture the response
    var response = UrlFetchApp.fetch(api, parameters);    

    // Extract the ip address of the instance from the response
    var content = JSON.parse(response.getContentText());

    return content.ipAddresses[0].ipAddress; 
  } catch(err) {
    _log_('ERROR', 'Getting ' + sqlInstance + ' instance ip address failed: ' + err);
    return null;
  }
}

function _getAuthenticationToken_() {
  // Check we have access to the service
  var service = getService();
  if (!service.hasAccess()) {
    var authorizationUrl = service.getAuthorizationUrl();
    _log_('INFO', 'Open the following URL and re-run the script: ' + authorizationUrl);
    return;
  }

  Logger.log('Passed Authentication');

  //Get the Access Token
  return service.getAccessToken();

  function getService() {
    // Create a new service with the given name. The name will be used when
    // persisting the authorized token, so ensure it is unique within the
    // scope of the property store.
    return OAuth2.createService('companyName-dev-service')

    // Set the endpoint URLs, which are the same for all Google services.
    .setAuthorizationBaseUrl('https://accounts.google.com/o/oauth2/auth')
    .setTokenUrl('https://accounts.google.com/o/oauth2/token')

    // Set the client ID and secret, from the Google Developers Console.
    .setClientId(CLIENT_ID)
    .setClientSecret(CLIENT_SECRET)

    // Set the name of the callback function in the script referenced
    // above that should be invoked to complete the OAuth flow.
    .setCallbackFunction('authCallback')

    // Set the property store where authorized tokens should be persisted.
    .setPropertyStore(PropertiesService.getUserProperties())

    // Set the scopes to request (space-separated for Google services).
    // this is admin access for the sqlservice and access to the cloud-platform:
    .setScope(
      'https://www.googleapis.com/auth/sqlservice.admin ' + 
      'https://www.googleapis.com/auth/cloud-platform')

    //Removed because this Should be covered by cloud-platform
    //'https://www.googleapis.com/auth/devstorage.read_write ' 

    // Below are Google-specific OAuth2 parameters.

    // Sets the login hint, which will prevent the account chooser screen
    // from being shown to users logged in with multiple accounts.
    .setParam('login_hint', Session.getActiveUser().getEmail())

    // Requests offline access.
    .setParam('access_type', 'offline')

    // Forces the approval prompt every time. This is useful for testing,
    // but not desirable in a production application.
    .setParam('approval_prompt', 'force');
  }

  function authCallback(request) {
    var cloudSQLService = getService();
    var isAuthorized = cloudSQLService.handleCallback(request);

    if (isAuthorized) {
      _log_('INFO', 'Access Approved');
      return HtmlService.createHtmlOutput('Success! You can close this tab.');
    } else {
      _log_('INFO', 'Access Denied');
      return HtmlService.createHtmlOutput('Denied. You can close this tab');
    }
  }
}

Answer 1

我们在 Google Compute Engine API 上也遇到了类似的问题。按照本文在 appsscript.json 文件中显式设置范围为我们解决了这个问题：

"oauthScopes": [
    "https://www.googleapis.com/auth/spreadsheets.readonly",
    "https://www.googleapis.com/auth/userinfo.email",
    "https://www.googleapis.com/auth/script.container.ui",
    "https://www.googleapis.com/auth/script.external_request",
    "https://www.googleapis.com/auth/spreadsheets",
    "https://www.googleapis.com/auth/compute",
    "https://www.googleapis.com/auth/cloud-platform"
  ],