0

I want to write a python script that can connect to Google Drive API without having to manually authenticate on every device the script is run on.

I am writing some python code for a research study that is going to be run at various study locations. For data privacy reasons, we cannot store data locally and need to write it to the cloud (ideally Google Drive). A member of our team will not present at all locations the software is being run, and thus any sort of initial manual authentication (entering username and password at the different sites for OAuth) is really off of the table for us.

I've looked into the Google Drive API (Python), and am wondering if there is a way for a device running my script to get a Refresh token (and subsequent Access tokens) to modify a Google Sheet without needling to manually authenticate on each device.

Is there any way to make this possible with the Google Drive API (by having some sort of 'secret' that the code could store)? If not, are there any other cloud services that may be able to accommodate this?

Additionally, the python script is being run as part of an executable (produced from Vizard, probably irrelevant but mentioning it just in case)

pinoyyid
  • 21,499
  • 14
  • 64
  • 115
biocompamateur
  • 35
  • 1
  • 6

1 Answers1

1

Yes it can be done - see How do I authorise an app (web or installed) without user intervention?

However, it's probably a bad idea for two reasons. if you distribute code with embedded secrets (technically the secret is a Refresh Token), they tend not to stay secret for long. Secondly, there is the chance that the Refresh Token will expire and your users will be dead in the water.

I would suggest that you consider:-

  • A Service Account
  • Writing an OAuth proxy, which you can host for free on Google AppEngine, which puts all of the secret stuff on a server and from which your app can fetch Access Tokens as they are needed.
pinoyyid
  • 21,499
  • 14
  • 64
  • 115
  • Thank you! Just to confirm, would this require *any* sort of authentication when the script is run on a new device? We're not too concerned about about refresh token expiration (running out of tokens/changing password) given the scope of our project. It will most certainly be running on fewer than 50 machines. Unless, of course, I misunderstand what counts as a refresh token/when a new one is issued. – biocompamateur Feb 06 '19 at 23:40
  • No. You'll authenticate once only on the oauth playground. After that, the refresh token works without any user involvement at all. – pinoyyid Feb 06 '19 at 23:48
  • Got it, thank you. I will probably go the basic refresh token route. What is the benefit of the service account (the OAuth proxy justification makes sense to me, but it's probably unnecessarily complicated for our needs). – biocompamateur Feb 07 '19 at 19:12
  • A regular Google account is supposed to be owned by a person whereas a service account is owned by an application. – pinoyyid Feb 08 '19 at 00:13