I'm playing around with AppScript and try to get an oAuth 2.0 access token.

Any sample out there how to get this working in AppScript?

I am working on a cleaner tutorialized version of this, but here is a simple Gist that should give you some sample code on how things would work -

https://gist.github.com/4079885

It still lacks logout, error handling and the refresh_token capability, but at least you should be able to log in and call a oAuth 2 protected Google API (in this case its a profile API).

You can see it in action here -

https://script.google.com/macros/s/AKfycby3gHf7vlIsfOOa9C27z9kVE79DybcuJHtEnNZqT5G8LumszQG3/exec

The key is to use oAuth 2 Web Server flow. Take a look at getAndStoreAccessToken function in the gist to get the key details.

I hope to have this published in the next few weeks but hopefully this will help in the mean time.

UPDATE - adding in info on redirect_uri

The client secret is tied to specific redirect URIs that the authorization code is returned to.

You need to set that at - https://code.google.com/apis/console/

The highlighted URI needs to match the published URI (ends in /exec). You get the published URI from the script editor under Publish -> Deploy as web app. Make sure you are saving new versions and publishing the new versions when you make changes (the published URI stays the same).

I've modified the example above to use the newish state token API and the CacheService instead of UserProperties, which is now deprecated. Using the state token API seems to make things a little more secure, as the callback url will stop accepting a state token after a timeout.

The same caveats apply. Your redirect URIs have to be added to your (script) project in the developer's console, meanwhile you have to yank the CLIENT_SECRET and CLIENT_ID from the console and paste them in. If you're working within a domain, there don't seem to be any guarantees on what URL will be returned by ScriptApp.getService().getUrl(), so I wound up basically having it get the address dynamically, then waiting for to fail on the the (second) redirect, and then hard-coded the resulting URI.

https://gist.github.com/mclaughta/2f4af6f14d6aeadb7611

Note that you can build an OAuth2 flow using this new API, but it's not a complete sample yet: https://developers.google.com/apps-script/reference/script/script-app#newStateToken()

In particular, you should not pass 'state' directly to the /usercallback URL yourself, because the OAuth2 service provider is responsible for round-tripping the 'state' parameter. (Instead, you pass 'state' to the auth URL, and the service provider automatically attaches it to the callback URL.)