I've built a google apps script web application. For Google Drive related features the application requires auth/drive.install (to integrate with Drive UI) and auth/drive.file (to store some data associated with a file in the related file properties) scopes. Other scopes are auth/urlshortener, auth/userinfo.email, and auth/userinfo.profile. The two latter are required for auth purposes, as far as I understand.
The above scopes are specified at oauth dance within the app. However, at app installation the following scopes are presented to a user:
auth/drive scope)auth/urlshortener)auth/script_* scopes This correlates with scopes from the script properties.
5 OAuth Scopes required by the script:
https: //www.googleapis.com/auth/drive
https: //www.googleapis.com/auth/script.external_request
https: //www.googleapis.com/auth/script.scriptapp
https: //www.googleapis.com/auth/script.storage
https: //www.googleapis.com/auth/urlshortener
Obviously, auth/drive and auth/urlshortner are added as a result of Advanced Google Services use, that are turned on in both GAS IDE (Resources > Advanced Google services) and Developer's Console.
GAS IDE doesn't allow specifying any scope narrower than e.g. auth/drive.
Google Apps Marketplace SDK configuration in Developer's Console doesn't allow to add any specific scopes for some reason. Actually, it allows adding but doesn't save any.
Recently Google introduced a review procedure for OAuth clients requesting sensitive OAuth scopes and auth/drive is definitely a one of.
I do not need the entire auth/drive scope and also I do not want users seeing anything like this:
This app ins't verified
Is there a way to narrow down the drive scope via GAS IDE or Developer's Console?
The script itself doesn't employ any auth/script_* functionality. Those were added somehow implicitly since I employed node google apps script module for development. I don't need user's permission for those. How to get rid of that?
Any workarounds?
Just dealing with this myself.
I found the following references from Google helpful https://developers.google.com/apps-script/concepts/scopes ("Setting explicit scopes" option) and https://developers.google.com/apps-script/concepts/manifests
Summary: You have to edit the appsscript.json manifest file. This isn't visible by default in your file list. Click on menu "View"->"Show manifest file" to make it so.
Then add a "oauthScopes" section to the manifest with an array containing the scopes you find under menu "File"->"Project properties" in the "Scopes" tab (of course make it a proper json array). Pare down the excess scopes and/or swap out for less permissive scopes (readonly instead of full access, etc).
