authorisation scope
112 views
Skip to first unread message
Willem van der Velden
Apr 29, 2025, 9:31:37 AMApr 29
to Google Apps Script Community
I build a simple app script that gets the users of the domain and when the value is 'false' it pushes the signature.
I tried everything but I keep getting the error that there is an issue in the domain wide delegation scopes.
Anyone has any suggestions?
Based on the documentation the scope shoulde be: https://www.googleapis.com/auth/gmail.settings.sharing but I also added basic
I tried everything but I keep getting the error that there is an issue in the domain wide delegation scopes.
Anyone has any suggestions?
Based on the documentation the scope shoulde be: https://www.googleapis.com/auth/gmail.settings.sharing but I also added basic
Rost, Jay
Apr 30, 2025, 9:33:58 AMApr 30
to google-apps-sc...@googlegroups.com
Hey Willem,
ngl, you often get those messages and they don't always mean the error is with the scopes exactly. Have you checked the entire setup of auth? Consent screen, domain wide delegation, client ID, permissions, etc? Also, have you tried running the function directly from the Apps Script IDE (if that's an option)?
Kind regards,
Jay Rost
Lead Engineer Google Business
Business Unit Google | Seibert Group GmbH
(he/him)
Mobile: +49 151 41420625
E-Mail: jay....@seibert.group
Address: Luisenstraße 37-39 · D-65185 Wiesbaden
CEOs: J. Seibert, M. Seibert and S. Martini
Commercial register Wiesbaden: HRB11502
--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-script-community/0ea7fabd-46bb-43e0-9d02-33cb2a508342n%40googlegroups.com.
Willem van der Velden
May 7, 2025, 12:35:03 PMMay 7
to Google Apps Script Community
Hi,
I tried triple checked everything regarding the authorisation and also tried on a different domain but still the same error.
Message has been deleted
Google Pony
May 9, 2025, 5:42:18 AMMay 9
to Google Apps Script Community
Hello, Willem.
This will help pinpoint if it’s a scope, delegation, or permissions issue. Let me know if you'd like help checking your manifest or impersonation code. Happy to collaborate further.
Domain-wide delegation (DWD) failures can be hard, but let's take a methodical approach to the problem. Here's a step-by-step method to diagnosing and resolving the issue:
1. Verify the OAuth Scope:
The error suggests a scope mismatch. For Gmail signatures, ensure:
The error suggests a scope mismatch. For Gmail signatures, ensure:
- Correct Scope: Use https://www.googleapis.com/auth/gmail.settings.basic (for signatures) and/or https://www.googleapis.com/auth/gmail.settings.sharing (if sharing settings).
- Manifest File: If using an Apps Script API, declare the scope in appsscript.json:
{
"oauthScopes": [
]
}
2. Confirm Domain-Wide Delegation Setup
- Admin Console:
- Go to Admin Console → Security → API Controls.
- Under Domain-wide Delegation, add your Service Account Client ID (from GCP).
- Scopes: Paste the exact OAuth scopes (comma-separated, no quotes):
- https://www.googleapis.com/auth/gmail.settings.basic, https://www.googleapis.com/auth/admin.directory.user.readonly
- Service Account:
- Use a .json key file and impersonate a super-admin:
- const serviceAccount = { /* ... */ };const jwtClient = new JWT({email: serviceAccount.client_email,key: serviceAccount.private_key,scopes: SCOPES,});
- Test in Apps Script IDE:
- Run the function directly (as Jay suggested) to isolate DWD issues.
- Check Logs:
- Use Stackdriver Logging in GCP to verify if the API calls are being made correctly.
- Minimal Example:
- const testGmailScope = () => {Logger.log(user); // Verify Directory API accessGmail.Users.Settings.SendAs.list("me"); // Verify Gmail API access}
- Super Admin Impersonation: The subject in JWT must be a super-admin.
- Scope Order: Ensure the scopes in GCP, DWD, and Apps Script match exactly.
- API Enablement: Verify Admin SDK and Gmail API are enabled in GCP Console.
5. Escalation Path:
If the issue persists:
If the issue persists:
- Google Issue Tracker: File a report here under "Admin SDK" or "Gmail API".
- Workspace Support: If you have a paid plan, contact Workspace Support.
- The exact error message (redacted if sensitive)?
- Whether the script works for your account but fails for others?
This will help pinpoint if it’s a scope, delegation, or permissions issue. Let me know if you'd like help checking your manifest or impersonation code. Happy to collaborate further.
Sincerely yours,
Sandeep Kumar Vollala
Consultant
Willem van der Velden
May 12, 2025, 7:51:13 PMMay 12
to Google Apps Script Community
Hi Sandeep (and also Jay),
I think that I will reach out to Google support to see if they can spot what is going on here. Let's hope its just a small thing that I didn't see all the 100 times I've checked it.
I'll let you know if there is any news
Thanks for you help so far! I still have the issue, the admin directory api is working fine but the gmail is still giving me problems.
```Gmail API error: GoogleJsonResponseException: API call to gmail.users.settings.sendAs.list failed with error: Delegation denied for us...@domain.com```
```Gmail API error: GoogleJsonResponseException: API call to gmail.users.settings.sendAs.list failed with error: Delegation denied for us...@domain.com```
I think that I will reach out to Google support to see if they can spot what is going on here. Let's hope its just a small thing that I didn't see all the 100 times I've checked it.
I'll let you know if there is any news
Ignacio Dominguez-Ramirez
May 13, 2025, 9:56:59 AMMay 13
to Google Apps Script Community
Hey Willem,
I've implemented this in our organization for our joiner, movers and leavers workflow. I found it easier to work with the APIs directly.
- I used the Google Workspace OAuth2 Library to facilitate in the OAuth process: https://github.com/googleworkspace/apps-script-oauth2 You can add the library with this script ID 1B7FSrk5Zi6L1rSxxTDgDEUsPzlukDsi4KGuTMorsTQHhGBzBkMun4iDF (full instructions in Github page)
- Once I added the library to the script, I unhid the appsscript.json page via the apps script properties and configured the json like so:
{
"timeZone": "Etc/UTC",
"exceptionLogging": "STACKDRIVER",
"runtimeVersion": "V8",
"dependencies": {
"enabledAdvancedServices": [
{
"userSymbol": "AdminDirectory",
"serviceId": "admin",
"version": "directory_v1"
}
],
"libraries": [
{
"userSymbol": "OAuth2",
"version": "43",
"libraryId": "1B7FSrk5Zi6L1rSxxTDgDEUsPzlukDsi4KGuTMorsTQHhGBzBkMun4iDF"
}
]
},
"oauthScopes": [
]
}
In the oauthScopes section of the json, you MUST explicitly list all the scopes you will require. Adding oauth scopes individually is necessary since we are essentially taking over google apps script's "automatic scope installation". In my example, I also query users in the domain, write to a google sheet and remove the work account from a user's mobile device hence the extra scopes.
- Now I create a separate authFunctions.gs file that holds all of the authentication functions I need like so:
/**
* Reset the authorization state, so that it can be re-tested.
*/
function reset() {
getService_().reset();
}
/**
* Configures the service.
*/
function getService_() {
const scriptProps = PropertiesService.getScriptProperties();
// Private key and client email of the service account.
const PRIVATE_KEY = scriptProps.getProperty('SA_KEY').replace(/\\n/g, '\n'); // Don't forget the .replace() part as it "fixes" the newline bits of the SA key
const CLIENT_EMAIL = scriptProps.getProperty('SA_EMAIL');
const CLIENT_ID = scriptProps.getProperty('CLIENT_ID');
// Email address of the user to impersonate.
let USER_EMAIL = scriptProps.getProperty('USER_EMAIL');
return OAuth2.createService("[ENTER ANY SERVICE NAME HERE]:" + USER_EMAIL) // example GWSETSIGNATURE:[USER_EMAIL]
// Set the endpoint URL.
// Set the private key and issuer.
.setPrivateKey(PRIVATE_KEY)
.setIssuer(CLIENT_EMAIL)
.setClientId(CLIENT_ID)
// Set the name of the user to impersonate. This will only work for
// Google Apps for Work/EDU accounts whose admin has setup domain-wide
// delegation:
.setSubject(USER_EMAIL)
// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getScriptProperties())
// Set the scope. This must match one of the scopes configured during the
// setup of domain-wide delegation.
.setScope("https://www.googleapis.com/auth/gmail.settings.basic https://www.googleapis.com/auth/gmail.settings.sharing");
}
- On the script properties, I create the necessary script properties we need which you should have set up when creating the service account (more info here) which are client id, client email, and private key:
Set the appropriate values to the keys shown above.
- Lastly is the code, in our case, we were setting the auto-reply so in my example we are using the users.settings.updateVacation method but your code for setting the signature will be similar, but using the users.settings.sendAs.patch method
function setAutoReply(leaverEmail, managerEmail) {
// resets all oauth to start fresh
reset();
// In our example the leaver is the user email so we set the USER_EMAIL to the leaver's email in the script properties
PropertiesService.getScriptProperties().setProperty('USER_EMAIL', leaverEmail);
// oauth2.[SERVICE_NAME_YOU_SPECIFIED]:[USER_EMAIL] <-- that will be the email you will be impersonating with domain wide delegation
let service = getService_();
let responseBody = `
<p>
Thank you for your email. I am no longer at <strong>EXAMPLE COMPANY</strong>.
</p>
<br>
Please contact ${managerEmail} for assistance.
<br>
Thank you
`;
let responseSubject = 'No Longer at EXAMPLE COMPANY:';
const responseDateStart = Date.now();
let autoReplySettings = {
"enableAutoReply": true,
"responseSubject": responseSubject,
"responseBodyHtml": responseBody,
"restrictToContacts": true,
"restrictToDomain": true,
};
let options = {
"method": "PUT",
"headers": {
"Authorization": `Bearer ${service.getAccessToken()}`,
},
"contentType": 'application/json',
"payload": JSON.stringify(autoReplySettings),
}
let setAutoReplyResult = UrlFetchApp.fetch(fullURL, options);
Logger.log(setAutoReplyResult);
return true;
}
In your case, your options variable will have "method": "PATCH", your "fullURL" would be https://gmail.googleapis.com/gmail/v1/users/${userId}/settings/sendAs/${sendAsEmail} making sure to pass on the appropriate userId and sendAsEmail (whether primary email or alias) and the payload will be an instance of SendAs, but because you are using PATCH instead of UPDATE, you can just specify the signature property which would kind of look like so:
let setSignature = {
"signature": "<p> HERE GOES MY SIGNATURE </p>"
}
I hope this gives you a different perspective on how you can implement your solution in a different manner. Please feel free to ask questions as I am not very skilled at breaking things down into digestable bites.
Thanks,
Nacho
Willem van der Velden
May 19, 2025, 8:51:52 AMMay 19
to Google Apps Script Community
Hi Nacho
thank you for the explanation. I think I understant when seeing it on my screen but when I try to implement it I get one error after the other. Maybe the steps I'm taking are too big. I just want to have the signature in a cell on a sheet, a list of email addresses in another sheet and that it fetch the details like first name, last name and mobile from the directory.
The approach you gave just keeps giving me other errors all the time.
Anyway you can help me with this?
Thanks in advance
thank you for the explanation. I think I understant when seeing it on my screen but when I try to implement it I get one error after the other. Maybe the steps I'm taking are too big. I just want to have the signature in a cell on a sheet, a list of email addresses in another sheet and that it fetch the details like first name, last name and mobile from the directory.
The approach you gave just keeps giving me other errors all the time.
Anyway you can help me with this?
Thanks in advance
Reply all
Reply to author
Forward
0 new messages