authentication - What is the Authorized Javascript Origin for a webapp powered by Google Script?

Question

I'm building a webapp with the Google Script engine. Te application uses the Sign in With Google button to log in, so I need a project with a Credential in the Google Cloud Platform which asks me to introduce a domain in the Authorized JavaScript Origin field. Domains of the kind xxx.googleusercontent.com used to work but now they appear to be forbidden. Google Cloud Platform Credentials

Since the app is hosted by Google Script platform, I've tried the URI https://script.google.com, but it does not work. It keeps on saying:

Not a valid origin for the client: https://n-lvkfgw4qjsttvut5eeun3inieub2bbse7ukpiti-0lu-script.googleusercontent.com has not been registered for client ID 577491057122-qlfn0853m85t0u7gsd4rr69rulghts54.apps.googleusercontent.com. Please go to https://console.developers.google.com/ and register this origin for your project's client ID." ? error: "idpiframe_initialization_failed"

Does anybody know anything about this issue?

Answer 1

There was a discussion about this on a bug reported on Google's Issue Tracker - this has become disallowed due to security concerns. There is, therefore, no current way to use an Apps Script Web App as a JavaScript origin at all.

More Information:

The bug report in question:

• Fail to Add *.googleusercontent.com into Authorized JavaScript origins

An investigation was conducted as there was seemingly no public information about the change. On March 31st 2021, a Googler eventually responded, explaining the reason for the change and closed the issue as intended behaviour:

Current policies for use of OAuth 2.0 require apps to use secure JavaScript origins and redirects on domains that you own. While the use of certain shared domains is allowed (e.g. Firebase apps running on *.web.app), the use of *.googleusercontent.com as OAuth origins or redirect URIs is blocked in order to ensure the security and privacy of user accounts.

Documentation has been updated at Redirect URI validation rules and JavaScript origin validation rules has been updated in order to reflect this:

Host domains cannot be “googleusercontent.com”.

I hope this is helpful to you!