forked from googleworkspace/apps-script-oauth2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCloudIdentityAwareProxy.gs
102 lines (89 loc) · 3 KB
/
CloudIdentityAwareProxy.gs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
/**
* This sample demonstrates how to connect to an application protected by Google
* Cloud's Identity-Aware Proxy (IAP).
* @see https://cloud.google.com/iap/docs/authentication-howto
*/
// A client ID and secret created for this script. It must be in the same Cloud
// Console project as the IAP-secured application.
var CLIENT_ID = '...';
var CLIENT_SECRET = '...';
// The OAuth client created automatically when you enabled IAP on your
// applicaiton. Can be found by clicking "Edit OAuth Client" in the IAP
// interface.
var IAP_CLIENT_ID = '...';
// A URL endpoint for your IAP-secured application.
var IAP_URL = '...';
/**
* Authorizes and makes a request to an endpoint protected by the Cloud
* Identity-Aware Proxy.
*/
function run() {
var service = getService_();
if (service.hasAccess()) {
var response = UrlFetchApp.fetch(IAP_URL, {
headers: {
// As per the IAP documentation, use the id_token, not the access_token,
// to authorize the request.
Authorization: 'Bearer ' + service.getIdToken()
}
});
var result = response.getContentText();
Logger.log(JSON.stringify(result, null, 2));
} else {
var authorizationUrl = service.getAuthorizationUrl();
Logger.log('Open the following URL and re-run the script: %s',
authorizationUrl);
}
}
/**
* Reset the authorization state, so that it can be re-tested.
*/
function reset() {
getService_().reset();
}
/**
* Configures the service.
*/
function getService_() {
return OAuth2.createService('CloudIAP')
// Set the endpoint URLs.
.setAuthorizationBaseUrl('https://accounts.google.com/o/oauth2/auth')
.setTokenUrl('https://oauth2.googleapis.com/token')
// Set the client ID and secret.
.setClientId(CLIENT_ID)
.setClientSecret(CLIENT_SECRET)
// Set the name of the callback function that should be invoked to
// complete the OAuth flow.
.setCallbackFunction('authCallback')
// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getUserProperties())
// Set the scope and additional Google-specific parameters.
.setScope('openid email')
.setParam('access_type', 'offline')
.setParam('approval_prompt', 'force')
.setParam('login_hint', Session.getActiveUser().getEmail())
// Modify the token request payload to specify the "audience" parameter,
// which must be set to the IAP client ID.
.setTokenPayloadHandler(function(payload) {
payload.audience = IAP_CLIENT_ID;
return payload;
});
}
/**
* Handles the OAuth callback.
*/
function authCallback(request) {
var service = getService_();
var authorized = service.handleCallback(request);
if (authorized) {
return HtmlService.createHtmlOutput('Success!');
} else {
return HtmlService.createHtmlOutput('Denied.');
}
}
/**
* Logs the redict URI to register in the Google Developers Console.
*/
function logRedirectUri() {
Logger.log(OAuth2.getRedirectUri());
}