Edit

Share via

Authenticating with Google services

  • Article

If your script uses Google services, such as Google Drive, Sheets, and Mail, you need to get credentials. There are a few of options for getting the credentials:

  • Option 1 — Easy to follow and takes less time but you need to repeat it every hour when the access token expires.
  • Option 2 — A little more complicated but you only need to repeat it if the refresh token becomes invalid.
  • Option 3 — Also a little more complicated (uses the provided PowerShell script) but you only need to repeat it if the refresh token becomes invalid.

Option 1 - Getting an access token from Google OAuth playground

  1. Go to Google OAuth playground
  2. In Input your own scopes, paste https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/gmail.send
  3. Click Authorize APIs
  4. After the APIs are authorized, click Exchange authorization code for tokens
  5. Copy the access_token's value from the response
  6. In solutions like Discovering disapproved ads, which access Google services, set the credentials object's accessToken field to the access token copied in step 5.

Note

Because the access token expires in 1 hour, you'll need to repeat these steps every hour.

Option 2 - Getting a refresh token from Google OAuth playground

  1. Go to Google developer console API dashboard
  2. Click Create a project to create a new project or select an existing project
    1. If creating a new project, enter the name of your project in Project Name. For example, Scripts.
    2. Click Create
  3. On Dashboard, click ENABLE APIS AND SERVICES
  4. In the search box, enter sheets and click Google Sheets API. Then, click ENABLE
  5. Go back to the dashboard (click APIs & Services) and repeat steps 3 and 4 for Google Drive API
  6. Go back to the dashboard (click APIs & Services) and repeat steps 3 and 4 for Gmail API
  7. On Dashboard, click Credentials in the left navigation pane and then click CONFIGURE CONSENT SCREEN. If asked to select a User Type, select External, then click Create
  8. Enter the name of your application in the Application name field (for example, Scripts client) and enter your email in the fields that ask for it, then click SAVE AND CONTINUE
  9. Click ADD OR REMOVE SCOPES, select ../auth/drive and ../auth/gmail.send, and then click Update
  10. Click SAVE AND CONTINUE
  11. Click ADD USERS, enter your Google email and click ADD
  12. On Dashboard, click Credentials in the left navigation pane, then click Create credentials and select Oauth client ID
  13. Select Web application Application type. Next, enter a name such as Scripts web app in the Name field. Then, add https://developers.google.com/oauthplayground to Authorized redirect URIs. Finally, click Create
  14. Copy your client ID and client secret to use in steps 18, 19, and 24 and then click OK
  15. Go to Google OAuth playground
  16. Click the OAuth 2.0 Configuration icon (looks like a gear in upper right corner)
  17. Check the Use your own OAuth credentials box
  18. Paste your client ID into OAuth Client ID
  19. Paste your client secret into OAuth Client secret
  20. In Input your own scopes, paste https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/gmail.send
  21. Click Authorize APIs and follow the prompts to provide consent

Note

When authorizing APIs in the playground, if you see a dialog that says, "This app isn't verified", click Advanced and then Go to [app name] (unsafe). 22. After the APIs are authorized, click Exchange authorization code for tokens 23. Copy the token from Refresh token to use in step 24 24. In solutions like Discovering disapproved ads, which access Google services, set the credentials object's clientId, clientSecret, and refreshToken fields to the values you received in steps 13 and 22.

Option 3 - Getting a refresh token using a PowerShell script

  1. Go to Google developer console API dashboard
  2. Click Create a project to create a new project or select an existing project
    1. If creating a new project, enter the name of your project in Project Name. For example, Scripts.
    2. Click Create
  3. On Dashboard, click ENABLE APIS AND SERVICES
  4. In the search box, enter sheets and click Google Sheets API. Then, click ENABLE
  5. Go back to the dashboard (click APIs & Services) and repeat steps 3 and 4 for Google Drive API
  6. Go back to the dashboard (click APIs & Services) and repeat steps 3 and 4 for Gmail API
  7. On Dashboard, click Credentials in the left navigation pane and then click CONFIGURE CONSENT SCREEN. If asked to select a User Type, select External, then click Create
  8. Enter the name of your application in the Application name field (for example, Scripts client) and enter your email in the fields that ask for it, then click SAVE AND CONTINUE
  9. Click ADD OR REMOVE SCOPES, select ../auth/drive and ../auth/gmail.send, and then click Update
  10. Click SAVE AND CONTINUE
  11. Click ADD USERS, enter your Google email and click ADD
  12. On Dashboard, click Credentials in the left navigation pane, then click Create credentials and select Oauth client ID
  13. Select Desktop app application type, enter a name (for example, Scripts client creds), and click Create
  14. Copy your client ID and client secret to use in steps 15 and 16 and then click OK
  15. Create a PowerShell script to get user consent and a refresh token.

Getting an access token requires user consent unless you have a refresh token. But because Scripts doesn't support UI components, you'll need to get consent another way. This PowerShell provides an option for getting consent and a refresh token.

Open Notepad or your favorite editor and copy the PowerShell script to the editor. Set $clientId and $clientSecret to the client ID and secret you received when you registered your app (see step 13).

$clientId = "your-client-id"
$clientSecret = "your-client-secret"

$scopes = "https://www.googleapis.com/auth/drive", "https://www.googleapis.com/auth/gmail.send"

Start-Process "https://accounts.google.com/o/oauth2/v2/auth?client_id=$clientId&scope=$([string]::Join("%20", $scopes))&access_type=offline&response_type=code&redirect_uri=urn:ietf:wg:oauth:2.0:oob"    
 
$code = Read-Host "Please enter the code"
   
$response = Invoke-WebRequest https://www.googleapis.com/oauth2/v4/token -ContentType application/x-www-form-urlencoded -Method POST -Body "client_id=$clientid&client_secret=$clientSecret&redirect_uri=urn:ietf:wg:oauth:2.0:oob&code=$code&grant_type=authorization_code"
  
Write-Output "Refresh token: " ($response.Content | ConvertFrom-Json).refresh_token

Save the file and name it GetTokens.ps1 (you can name it anything you want but the extension must be .ps1).

Now open a console window. To open a console window on Microsoft Windows, enter the following Windows Run command (<Windows button>+r):

cmd.exe

At the command prompt, navigate to the folder where you saved GetTokens.ps1 and enter the following command:

powershell.exe -File .\GetTokens.ps1

When the PowerShell script successfully runs, it starts a browser session where you enter your Google credentials. After consenting, the webpage contains the grant code (see Please copy this code...).

Copy the grant code and enter it in the console window at the prompt. The PowerShell script then returns a refresh token. Copy the refresh token. You should treat the refresh token like you would a password; if someone gets hold of it, they have access to your resources.

  1. In solutions like Discovering disapproved ads, which access Google services, set the credentials object's clientId, clientSecret, and refreshToken fields to the values you received in steps 13 and 14.