1

Today - Users' Google Drive access tokens - which are obtained when a user authenticates the app - are kept in my backend, linked to the authenticated user. So when a user authenticates once from any platform - he will have the same Google Drive access from any other platform or device he uses, since the access token are kept in the backend.

We want to allow each client to use the Drive SDK in order to communicate directly with Google Drive services where it seems fit, requiring the clients hold and use the connected user's Drive access key.

We're looking for a way to give the user a "seamless" Drive connection.

Is there an alternative where the user will not have to authenticate my app per device? Can an access token be shared from one device to another?

--

EDIT : leaving refresh token out of the scope of the question - let's assume that when the token expires, the client would use my backend API to refresh the access token (so the Backend holds the refresh token)

P.S. - I asked similar question for the Dropbox service - Using Dropbox access token from multiple devices

Dror Fichman
  • 1,559
  • 1
  • 14
  • 16
  • The alternative I can think of given what you're trying to do is the use of [service accounts](https://developers.google.com/identity/protocols/OAuth2ServiceAccount), as I haven't encountered your use case yet. – ReyAnthonyRenacia Dec 28 '17 at 08:15
  • Could you review where you say "access token" in your question. Do you mean Refresh Token? – pinoyyid Jan 01 '18 at 22:06
  • pinoyyid - edited the question to clarify. – Dror Fichman Jan 03 '18 at 07:30
  • Did you ever manage to sort this out? I have a similar question but haven't been able to find any information. Thanks. – fredrik.j Apr 16 '19 at 05:13
  • @fredrik.j we came up with these conclusions - it's better for each device to hold its own auth tokens. While it's technically possible to persist those in a backend - it raises a security risk, and reduces user's control over his 'actual connected devices'. We did figure that the user won't have to 'grant permissions to the app' in each device, given that we use the same Google Drive application for all platforns. – Dror Fichman Jul 09 '19 at 21:27

1 Answers1

0

Despite it not being a finite answer -

We eventually came to the conclusion that it's better for each device to hold its own auth tokens. And while it's technically possible to persist those in a backend - it raises a security risk and reduces user's control over his 'actual connected devices' through our app to the 3rd party provider.

We did figure that the user will have to 'grant permissions' only during his first usage, given that the same Google Drive application is used for in all platforms.

Dror Fichman
  • 1,559
  • 1
  • 14
  • 16