Unable to Authenticate for Running Apps Script Functions with OAuth Scopes (GmailApp, DriveApp, etc.)

[gbrParanhos]

I'm having trouble authenticating my Apps Script project in a way that allows me to run functions using the built-in services like GmailApp, DriveApp, SpreadsheetApp, etc.

I followed the instructions in the run.md file in the project's docs folder, specifically:

Run a function that requires scopes
Many Apps Script functions require special OAuth Scopes (Gmail, Drive, etc.).

To run functions that use these scopes, you must add the scopes to your Apps Script manifest and clasp login again.

clasp open
File > Project Properties > Scopes
Add these scopes to your appsscript.json.
Log in again: clasp login --creds creds.json. This will add these scopes to your credentials.
Run: clasp run --user sendMail

Even after following the steps, I get the following error:

Exception: You do not have permission to call DriveApp.getFilesByName. Required permissions: (https://www.googleapis.com/auth/drive.readonly || https://www.googleapis.com/auth/drive) [ { function: 'MyFunction', lineNumber: 5 } ]

My appsscript.json File:

{
  "timeZone": "America/Sao_Paulo",
  "dependencies": {
    "enabledAdvancedServices": [
      {
        "userSymbol": "Drive",
        "version": "v3",
        "serviceId": "drive"
      },
      {
        "userSymbol": "Sheets",
        "version": "v4",
        "serviceId": "sheets"
      }
    ]
  },
  "exceptionLogging": "STACKDRIVER",
  "runtimeVersion": "V8",
  "executionApi": {
    "access": "ANYONE"
  },
  "oauthScopes": [
    "https://www.googleapis.com/auth/script.external_request",
    "https://www.googleapis.com/auth/drive",
    "https://www.googleapis.com/auth/spreadsheets"
  ]
}

Am I missing any additional steps to properly authenticate and gain access to these scopes? Is there a different way to authorize Apps Script functions when running them via clasp?

Any help would be greatly appreciated!

[sqrrrl]

If using 3.0-alpha, can you try:

clasp login --creds <client secrets file> --use-projects-scopes --user <name>
clasp run --user <name>

Looks like you set the project up correctly since it's complaining about the scope as opposed to rejecting it outright, so issue is more that the authorization request just didn't include the scopes needed by the script.

I think the run instructions are a little out dated, but let me know if that works and I'll update.

[gbrParanhos]

Hi Steve, thanks for your response.

I tried using the --use-project-scopes flag, but I encountered another issue. When I run the command, I see the following logs:

Authorizing with the following scopes:
https://www.googleapis.com/auth/script.external_request
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/spreadsheets
🔑 Authorize clasp by visiting this URL: 
https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A60502&access_type=offline&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fscript.external_request%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fspreadsheets&response_type=code&client_id=<my-id>.apps.googleusercontent.com

This seems to indicate that the new flag correctly loads the project scopes. However, after granting authorization on the redirected website, I receive the following error:

Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

The user is created successfully, but when I try to run any clasp command using this user, I get "Insufficient Permission" errors.

Additionally, on the permission screen, it looks like only the last scope in the list "https://www.googleapis.com/auth/spreadsheets" is recognized. I didn’t see any references to the other scopes (drive and script.external_request):

Interestingly, when I remove spreadsheets from the list, the behavior changes (though the errors still persist):

Do you have any idea what might be happening?

[sqrrrl]

A few things to check:

• Was the "Request is missing required authentication credential." error during the login command itself or afterwards when running a different command?
• Re: Insufficient Permission, which commands? It should fail for any command other than clasp run for your script since it's not set up for the other APIs and scopes required for clasp itself. If the clasp run command works, then it's good as far as this issue is concerned.
• The scope screen thing is interesting. Not sure if that was because of partial consent and the first time through not all scopes were selected. Would be helpful if you go to https://myaccount.google.com/connections and revoke access, then repeat the clasp login... command to see if it shows all scopes or not on the consent screen. If it has all and shows checkboxes, make sure to select all

[sqrrrl]

re: Request is missing required auth... error, safe to ignore that and will fix in next release. It's due to an error fetching user info with those tokens, but it's just for printing an informational message about the user. It's expected to fail with insufficient scopes, had a bug in the error handling.

[gbrParanhos]

I checked again, and the "Insufficient Permission" issue does not actually occur with clasp run, as you mentioned. I initially jumped to a conclusion when I saw errors in other commands. The scopes are now working correctly (including those that do not appear on the "scope screen").

Regarding your question:
"Was the 'Request is missing required authentication credential.' error during the login command itself or afterwards when running a different command?"

Yes, the error occurred during the login command.

Thank you so much for your support, Steve!