How do I embed a standalone Google Apps Script web app that requires authorization into the new Google Sites?
I created a standalone Google Apps Script web app that I am trying to embed into new Google Sites. It works correctly when I'm signed into the account used to create the Apps Script project. However, if I'm logged into another account that has not yet authorized the web app, the Google Sites page loads, but the iFrame with the embedded Apps Script project does not load correctly.
Instead the iFrame shows "accounts.google.com refused to connect" and the console shows "Refused to display 'https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Fscript.google.com%2Fmacros%2Fs%2FAKfycbzizTNkflSXZbKSF8TTxTR5QoF4LAhPPuSq-1juFdIOdL_IlFM%2Fexec&followup=https%3A%2F%2Fscript.google.com%2Fmacros%2Fs%2FAKfycbzizTNkflSXZbKSF8TTxTR5QoF4LAhPPuSq-1juFdIOdL_IlFM%2Fexec' in a frame because it set 'X-Frame-Options' to 'deny'."
As I understand it, new users are not authorized to my Apps Script Web App, which triggers an authorization flow. However, when the authorization flow begins by loading the Google sign in page (https://accounts.google.com/ServiceLogin?... from above), it breaks because the X-Frame-Options header for the sign in page is set to Deny.
I did experiment with HTMLoutput.setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL) (see https://developers.google.com/apps-script/reference/html/html-output#setxframeoptionsmodemode), but I'm pretty sure the issue causing the Google Sites iFrame to load incorrectly is not my app, but Google's sign on page.
Link to Google Site: https://sites.google.com/view/create-user-filter-views/home
Link to Apps Script Web App: https://script.google.com/macros/s/AKfycbzizTNkflSXZbKSF8TTxTR5QoF4LAhPPuSq-1juFdIOdL_IlFM/exec
Documentation from Google on how to embed Apps Script in New Sites: https://developers.google.com/apps-script/guides/web#embedding_a_web_app_in_new_sites
How can I authorize new users to my web app from Google Sites?
Do I need to direct them first to my published apps script site to go through the authorization flow and then direct them to return to my Google Site (this would be a terrible option obviously)?