Google Picker API File Access

[Lavarthan Selvaratnam]

I have a Google add-on using Google Apps Script that retrieves the current file ID and sends it to the backend. On the backend, I have already authorized the user with the `drive.readonly` scope to pass the file ID from the frontend and download the file. However, Google has suggested using the `drive.file` scope along with the Picker API instead. I need clarification on a few points regarding this new suggested method.

If I implement the file picker in my frontend, when the user picks a file, I can send the file ID and the OAuth token to the backend to download the file (referenced here: https://stackoverflow.com/a/32176112). Please correct me if I am wrong.

1. How does the user obtain this OAuth token?
2. How long is the OAuth token valid?
3. If the user picks a file, can I use that file ID indefinitely to download the file, or will it expire?

The Google Picker API documentation is somewhat unclear, so any help would be appreciated. Thank you in advance.

[Ed Robinson]

Hi Lavarthan,

I've used the Google Picker for a lot of applications

- In case it is not clear from the documentation, the Picker is only for choosing files on Google Drive (it cannot access local files on your computer)

- I don't know how long the OAuth token is valid for, but it doesn't seem to be a problem. You obtain it with: var myToken = ScriptApp.getOAuthToken()

- Yes, the fileId is the permanent id of the Google drive file.

I hope this helps,

Ed

[Lavarthan Selvaratnam]

Hi Ed,

Thank you for your time and detailed response. One more question, Should I use the obtained token to access the file metadata from the backend? 

[Ed Robinson]

Hi Lavarthan,

You won't need the token to access file metadata. Here is why:

Projects in Google Apps Scripts can use three types of API:

a) Workspace Service

b) REST API

c) Wrapper over REST API in b)

Of these, Workspace Services are the simplest to use, the OAuth token is managed automatically by Google Apps Script.

So your process is as follows:

- User picks file (on Google Drive), using the Google picker. See Picker Overview + Picker Sample

- With the File ID, you can use the DriveApp Workspace Service to do file actions - like copy, delete, change name

- With the File ID, you can also access the file with other Workspace services such as Spreadsheet Workspace Service for Slides

I know this sounds a little confusing, but its actually straightforward. If you're new to coding Apps Script, stick with the Workspace services to begin with

[Lavarthan Selvaratnam]

Hi Ed,

Thank you again for your time and detailed response.

I have two different servers: one is an App Script server where users interact, and the other is a backend server completely isolated from the App Script. If I implement the file picker and obtain the OAuth token from App Script, can I only use that token within the App Script?

What I really need is access to the file from the backend server. If I pass the OAuth token to the backend, can I access the file from there? I might have been a bit confusing earlier, so I hope this clarifies my situation.

Thank you for your help!

[Ed Robinson]

Hmmm… that adds some complexity. Is the backend running on Apps Script or another language? 

Ideally: after you use the token with the picker, you don’t need it anymore. you just pass the file id to the backend, and if it’s running apps script, and using workplace services, when it accesses the file, the auth happens automagically. 

If your backend is written in, say, python you have more complexity. Will the OAuth token (which is just a string) work ok when it’s passed from server to server? Maybe. But it would be complex to debug, if errors show up. 

Ed

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/5Ll7dY9ibmw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/0ec263a2-65b5-46f4-95b3-8c8288e506dan%40googlegroups.com.

[Lavarthan Selvaratnam]

Hi Ed,
Thank you for your insights.

The backend is completely isolated and running in Python. Previously, I was using the `drive.readonly` scope during authorization, which allowed me to get the file metadata from the backend by simply passing the file ID from the appscript. Now, Google has asked me to use the `drive.file` scope along with the Picker API.

Given this new requirement, if I obtain the OAuth token from the Picker API and pass it to the backend, will it allow me to access the file from the backend server? I understand this adds complexity and may be challenging to debug if errors occur.

Your guidance on this would be greatly appreciated. Thank you again for your help!

[Ed Robinson]

Here is my guidance (and its mainly what-I've-found-that-works. I'm happy to be corrected by anyone more knowledgable).

OAuth 2.0 authorizes applications, on behalf of a user, to access a resource. If you pass an OAuth token to another app, the system will think you're trying to bypass the authorization flow.

You might get it working, but it probably won't stay working.

I suggest the right approach is to configure the python backend to use a "service account". Then you pass the FileId from your app to the backend. The python backend uses its own set of permissions + its own OAuth token based on the service account permissions to access the file.

Ed