Access Google Drive without OAuth2

Question

I have been rummaging through all the Google documentation on GoogleDrive SDK and the Drive API, however I cannot find out if there is a way to connect to a particular GoogleDrive without having to use OAuth2.

I realize that OAuth2 allows for the server or client to be able to connect securely to the particular Google Drive in question. However, I want to know if there is a way to simply have an API Key for the Google Drive instance and simply through that, access my files and folders. In fact I have a way to connect to the user's Google Drive already with OAuth2, but I want to only connect to mine in this way in order to automate pushing off statistical data to forms on my own Google Drive. Since it's automated I don't want to have to fill in the credential form and click "Accept" and all that, of course I realize that after that I'd be able to have a refresh token. But I really want to avoid all that if possible.

This is similar functionality to much of the APIs that Mashery allows, as well as Twilio. Only the API Key and then you can have access.

I really just need to know if this is at all possible or not, so I can either continue with the pursuit or leave it and try something different.

Answer 1

"if there is a way to connect to a particular GoogleDrive without having to use OAuth2."

No. Oauth2 is the only authorization/authentication mechanism supported.

If you're question is really "if there is a way to connect to a particular GoogleDrive without having to write OAuth2 code.", then this answer might help How do I authorise an app (web or installed) without user intervention? (canonical ?)

The "Only the API Key and then you can have access." sounds a bit like a Google Service Account, but that would create a pseudo Drive account for the app, rather than allow the app to access your regular Drive account.

Answer 2

Google API's indeed work only via OAuth2.0 using a bearer token.

But you can obtain a bearer token from a GCP Service Account's JWT token. Since OAuth via JWT is automatic, no user interaction is involved.

Just create a Service Account, generate a key in JSON format, and "share" your Drive folder with that service account (xxxxx@yyyyy.iam.gserviceaccount.com).

Note: a Service Account's key file looks like this ^(redacted):

{
    "type": "service_account",
    "project_id": "<skip>",
    "private_key_id": "<skip>",
    "private_key": "-----BEGIN PRIVATE KEY-----\n <skip> \n-----END PRIVATE KEY-----\n",
    "client_email": "<skip>@<skip>.iam.gserviceaccount.com",
    "client_id": "<skip>",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/<skip>%40<skip>.iam.gserviceaccount.com"
}

Example of listing files in Go:

package main

import (
    "fmt"
    "log"

    "golang.org/x/net/context"
    "google.golang.org/api/drive/v3"
    "google.golang.org/api/option"
)

func main() {
    srv, err := drive.NewService(context.Background(), option.WithCredentialsFile("key.json"))
    if err != nil {
        log.Fatal("Unable to access Drive API:", err)
    }
    r, err := srv.Files.List().PageSize(100).Fields("nextPageToken, files").Do()
    if err != nil {
        log.Fatal("Unable to list files:", err)
    }
    fmt.Println("Files:")
    for _, i := range r.Files {
        fmt.Printf("%v (%v) %v %v\n", i.Name, i.Id, i.MimeType, i.Parents)
    }
}

Output:

Files:
Test (1TMx<skip>SoYJ5) application/vnd.google-apps.folder []
Test.txt (1Ele<skip>Fh98n) text/plain [1TMx<skip>SoYJ5]
Test2.txt (3ce9x<skip>lsWds) text/plain [1TMx<skip>SoYJ5]

Answer 3

Well, Oauth 2.0 supports Resource Owner Password Credentials Grant and Client Credentials Grant.

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.

The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).

The Client Credentials Flow seems perfect for you. But Unfortunately, Google doesn't support these two Grants.