Authorization failures after OAuth callback when appsscript.json is modified in HEAD without changing the deployed version #552
Description
Hi Team, I am from Databricks and we use googleworkspace/apps-script-oauth2 in the public Databricks Connector for Google Sheets add‑on to authenticate users to their Databricks workspaces, with tokens persisted via PropertiesService as recommended by the library. During a recent incident window last week, a subset of users began seeing “Authorization is required to perform that action” immediately after completing what appeared to be a successful OAuth login, and this timing coincided with changes made only in the HEAD appsscript.json and script code while the production deployment remained pinned to an older version.
In these cases, Databricks had already authenticated the user and returned an access token to the Sheets add‑on, and the OAuth client’s handleCallback was invoked as expected, but the same client’s hasAccess immediately returned false, leaving the Databricks Connector without a usable token and preventing affected users from running any connector features. Reverting HEAD (manifest and code) to match the deployed version resolved the problem without changing the deployment itself, which strongly suggests an interaction between the library’s authorization state handling and Apps Script’s separation (or lack thereof) between HEAD and versioned deployments.
