0

In my application, I want to use Google Drive API with limited scope, namely drive.file.

NB Application is using OAuth2 authorization flow for limited devices.

However, with this scope API doesn't find files that i've manually created using Google Drive web logged in with the same account.

Moreover, if i manually add files (or other directories) into directory created by app, API still doesn't find them.

Is there a way to accomplish that using only limited scopes?

UPD151122 Link to a similar request in Google issue tracker

UPD101122 While going through Google app verification process, i've found out that Limited devices are allowed to use only few scopes and drive.readonly is not there.

The OAuth 2.0 flow for devices is supported only for the following scopes:

OpenID Connect,Google Sign-In
email
openid
profile

Drive API
https://www.googleapis.com/auth/drive.appdata
https://www.googleapis.com/auth/drive.file

YouTube API
https://www.googleapis.com/auth/youtube https://www.googleapis.com/auth/youtube.readonly

A workaround is to use OAuth2 flow for webservice and host own service for OAuth2 authorization for limited devices... On the other hand, there are multiple cloud services that have implemented OAuth2 flow for devices and IMHO have a more reasonable scope of permissions.

UPD291022 To compare with, i've checked Dropbox API. It has the same scope feature with multiple permissions, but contrary to Google Drive API Dropbox API sees resources in app folder created manually by the same account. I hope, that's deliberate solution and wouldn't be changed.

  • I haven't found solution and similar tasks in API docs, so i suppose such scenario is not covered there.

  • There are mentions on the web that directory can be shared with app, yet i haven't found how to do that.

  • Previous answers here mention use of drive.metadata, but still this scope is sensitive and should be verified, thus doesn't help much.

  • I've tried to use drive.readonly scope, but it requires app verification, too.

  • Query on Google Drive API page works as expected, yet it asks to provide sensitive permissions.

  1. I expect that files created by the same account via api or google drive web should be accessible from api even with limited permissions.

  2. I expect that everything placed/created manually into directory that was created by app should be always accessible by app (at least for reading/downloading/uploading).

diabolusss
  • 29
  • 1
  • 6

1 Answers1

1

The https://www.googleapis.com/auth/drive.file scope Allows you to See, edit, create, and delete only the specific Google Drive files you use with this app.

The app being the Client id or the project you created in Google cloud console.

So unless the file is created by the application itself then the application wont be able to see the files.

That meaning that any files that you had added manually though the google drive web app, or any files created by other applications will not be seen by an app authorized with the scope 'https://www.googleapis.com/auth/drive.file'

So if you want to see files other than those created by your application you're going to need to use https://www.googleapis.com/auth/drive.readonly or https://www.googleapis.com/auth/drive depending upon whether you need write access or not.

diabolusss
  • 29
  • 1
  • 6
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • While i agree that right now api works like that, i can't agree that it's a correct behavior for drive.file scope. Application have a dedicated folder on Google and user is aware of that. I believe that everything manually saved there by user should be available to app which is a real owner of that folder. Or at least there should be a respective scope, i.e. drive.app - where application owns all files (have full control) in dedicated folder, including manually added files and folders. Otherwise, there is no point for user to put there anything, and it should be forbidden. – diabolusss Nov 11 '22 at 21:33