I am writing a web app that makes use of the Google Drive API and that I plan to distribute for users to run locally.
Users would not normally run a web application locally. Web applications should be hosted on a web server. Web client credentials can not be verified and run in production using localhost as a redirect uri.
Have you considered an installed application instead? Desktop apps will run on the users machine. And you will not have a redirect uri issue as the standard redirect uri for installed applications https://127.0.0.1
I am planning to go through the lengthy OAuth verification process.
If you are giving this application as in the source code of the application to other users, you don't need to verify the application. You can not give others your client id and client secret, as part of the TOS you agreed to when you created your project, you agreed not to share it. You will need to instruct the users of your app on how to create their own project and verify it.
See: Can I really not ship open source with Client ID?
I see here in the documentation that localhost URI's are exempt from the HTTPS scheme.
This is only for installed applications, its not going to work for web applications. and it wont work for production apps.
There is actually another link you should check Use secure redirect URIs and JavaScript origins
This page states that you cant use http and you will normally get
documentation conflict
as there seems to be a conflict between Redirect URI validation rules and Use secure redirect URIs and JavaScript origins I have sent an email off to a contact on the Oauth team, to see if we cant get the documentation clarified.
