1

I'm making an open source Node module that will require access to each user's private Google Drive files. I've been trying to wrap my head around all of these different authentication types, and have come to a road block. From what I've gathered, there are two primary types of authentication

  1. I, the library author, provide in my library the public and private keys necessary to authenticate each user with OAuth2. This means giving them a URL to go to to give my app permission to access their data, and have them copy and paste an access code back into their terminal. I was able to run through this tutorial and get it working, but this method seems dangerous, because of the keys I have to package with my library, and unnecessarily difficult.

  2. Have the user go to the Google API console, get their own API key, and provide that to my library through some sort of configuration file. No URL redirection, no copying and pasting, just some private credentials that only they have access to.

2 sounds a lot better to me: This library has absolutely nothing to do with me once it's in the user's hands, so it feels incorrect to have them authenticate with me. But from what I can find, the only way to do this with Google's API is to create a Google Service account, download the JSON they give you, go through a flow similar to the top comment on this blog post, and then manually give the service account email access to my personal Google Drive files. This seems hacky, and a lot of work to gain access to my own private data. Is there a better way to go about this? It seems strange to me that this fairly standard flow in other APIs is only available in Google's API through service accounts, but maybe there is a way and I'm just not seeing it. I'm fairly new to authentication, so any help at all is appreciated. Thanks!

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Weston
  • 1,291
  • 3
  • 12
  • 25

1 Answers1

1

First off I want to say that you cant release your open source project with the client id and client secrete that you created on Google Developers console this is against googles terms of service.

1.Developer credentials (such as passwords, keys, and client IDs) are intended to be used by you and identify your API Client. You will keep your credentials confidential and make reasonable efforts to prevent and discourage other API Clients from using your credentials. Developer credentials may not be embedded in open source projects.

My Answer on another question about exposing client id in open source projects.

Second you could instruct your users to use either Oauth2 or a service account or both its really up to you.

If the user will only be accessing their own data and wont need to access someone else's data then they can use a service account you will need to instruct them in how to share a folder on Google Drive with the service account. However from your side permissions can be tricky when they are uploaded the service account will own the file uploaded to the users google drive account you will need to have the service account add permissions for the user so the user will then also be able to access said file.

The easiest way to go will be Oauth2 when the code uploads files they are owned by the authenticated user so you wont have the same permissions issue you had with a service account.

Community
  • 1
  • 1
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • How would I go about having each user use OAuth2? I thought OAuth2 would be where I give them a Url, and that url says "Give Weston permission to do x, y, and z". But if it's not my credentials given in the url, what's the point? Is there a way to authenticate with OAuth2 without having to do the copy and paste url stuff? – Weston Jun 15 '16 at 06:40
  • when they download your project they will have to be given a config file or some place where they can add their own credentials from Google Developer console. – Linda Lawton - DaImTo Jun 15 '16 at 06:42
  • So it would be the same flow (give them a url, they copy and paste back to console), but the OAuth screen would just say "Give [myself] permission to do x, y, and z"? It seems very strange to have to do that, I figured there would be a way to do all of that programatically, like in the service account flow. – Weston Jun 15 '16 at 06:44
  • by all means if they are only going to be accessing their own data use a service account. I just find service accounts on drive a pain because you have to share a folder with the service account and then deal with the permissions issues. This is really personal choice here both options will work. However if you are using JavaScript and not a server sided programing language you are going to have a hard time getting service accounts to work. For security reasons its a bad idea while some people have hacked it I personally would never use it. – Linda Lawton - DaImTo Jun 15 '16 at 06:47
  • What's the difference between using Node and some other server side programming language? Also, this library will more than likely not be uploading anything, so the permission issue probably won't be a huge deal. It just seems so weird to me to have to choose between the unnecessary url copy and paste stuff that would only really seem necessary if this were a web application, and the service account permissions stuff. You'd think there'd be an option for the service account flow of just loading a JSON file and authenticating that, but with access to your personal data. – Weston Jun 15 '16 at 06:53
  • Sorry I am not a Node developer I have heard of it but done no research on it if its servicer sided then you are fine. Applications created in google developer console have no relation to your personal google account used to create it. Just because you created a service account on google developer console does not mean that said service account has access to your private data you still need to grant it access manually. Share a calendar share a folder in google drive, add it as a user on google analytics. Service accounts are pre authorized. Drive permissions are just a pain in genral. – Linda Lawton - DaImTo Jun 15 '16 at 06:58
  • Do you know if there's any way to authenticate with OAuth2 without having to have the user go to a url and copy and paste back an access code? – Weston Jun 15 '16 at 07:17
  • your code should be able to grab the authorization code after they click accept and return it to your code and request the initial access token. The user shouldn't have to do that. But no you need to display that webpage to them for them to authenticate your application. – Linda Lawton - DaImTo Jun 15 '16 at 08:27