Required auth to download a Google Meet recording - google-drive-api

I'm working on an integration to stream Google Meet recordings to a 3rd party file storage service. Here's the rough workflow I'm following
Create the meeting using the Google Calendar API
During the meeting, a user optionally records
After the meeting, check the calendar event description for a link to the generated Google Drive file
Use the Drive API to retrieve a download link for the file
Open a download stream and stream to 3rd party service
My question is what OAuth scopes I need to make this work. The drive.file scope will only give me access to files my app created. The meeting recordings are created by Google Meet. The drive.apps.readonly scope gives me access to all files if the user installs my app. Could I create a Google Workspace Marketplace app and use that scope to download the file? Will the downloadUrl in the file object work with a token that only has drive.apps.readonly?
I'm trying to avoid using any restricted scope if possible.

Drive scopes are restricted by design
If you check this page, About Auth, and this page, OAuth Verification FAQs you'll see that Drive is inherently restricted due to the nature of the service. Since your app does not create the video, it will require a restricted scope to fetch the video created by meet.
I believe that https://www.googleapis.com/auth/drive.readonly will work for your purposes.

Related

Are there any way to register in-house application in google apps marketplace with FQDN?

I belongs IT Section which provides and distributes Google Apps and its related service in our company.
Our section has disabled Drive SDK in Google Apps admin Console because of our company policy.
However, many developers requested Drive api in our company.
So, we started registering developer's drive application in google apps marketplace to allow it.
After our registration, developers could use drive api.
However, recently our registration process has stuck in uploading on Chrome Web Store.
(*Please take a look at See step 8.)
Strictly speaking, chrome web store publishing status become rejected.
Moreover, we received app removal notification from chromewebstore-dev-support#google.com, like "Chrome Web Store: Removal notification for app name."
But we have no idea why this app has been rejected.
Here is our step we used to do.
In google developers console, I accessed api manager, and make drive api enabled.
Access drive SDK settings to register app icon and open URL, and save it.
*About open URL, we assume intranet FQDN is forbidden, so we set http://www.google.com as open URL.
In OAuth Concent, type service name and save it.
From api manager, enable Google Apps Marketplace SDK.
We set application name, description, register icon, support URL and drive api scope(https://www.googleapis.com/auth/drive) and save it.
Also prepare zip file for Chrome Web Store that includes manifest json and app icon.
*In manifest json, we wrote app name, description, web app URL(we set google sites) and write as domain-installable.
Upload zip file to chrome web store, icon, screeen shot, promotional tile images, set web site(we set google sites.), category and languages.
In the end, set Visibility option as private and everyone at mydomain.
After published both chrome web store and google apps marketplace, access to marketplace to find published app in our domain.
allow access of drive app in marketplace.
*Above processes were executed on September in 2015,
I believe developer console UI has been dramatically changed for now, so these steps might not match current steps.
### Questions ###
Considering above results, I would like to confirm things below.
I would like to confirm our steps above is correct or not for registering drive application in Google App Marketplace.
By referring Both Apps Marketplace Guides and Apps Marketplace Frequently Asked Questions, I could not find detail for specific steps.
I are wondering whether we must obtain or prepare domain for web application and it must be open on the web or not.
Are there any way to register in-house application in google apps marketplace without publishing on the web(wondering can use FQDN or not).
Is it possible to create Google Apps Marketplace App using service account or client application with Drive API?
Thank you in advance.
1. I would like to confirm our steps above is correct or not for registering drive application in Google App Marketplace. By referring Both Apps Marketplace Guides and Apps Marketplace Frequently Asked Questions, I could not find detail for specific steps.
You seem to have done the steps right. But just to be safe, you can check out Publish your App page on the apps marketplace documentation.
Steps to Publish the app
Go to the Chrome Web Store developer dashboard
Upload the zip file
Add a detailed description of your app for the Marketplace listing
Add your screenshot(s) and promotional tiles for the Marketplace isting
Add the URLs for your app's websites
Set the category, region, language(s), and other configuration details
Note: To publish a private, domain-only app, skip the next step and see the instructions below.
To publish a Marketplace app that is only visible within your own domain, do not use the listing review request form. Instead, on the developer dashboard, locate the "Visibility options" section and select "Private / Everyone at yourdomainname.com" before you publish
2. I are wondering whether we must obtain or prepare domain for web application and it must be open on the web or not.
I'm not sure what you mean by this question, but once the domain has been set and app published, the application will appear in the "For [your domain]" section in the Google Apps Marketplace available on admin.google.com
3. Are there any way to register in-house application in google apps marketplace without publishing on the web(wondering can use FQDN or not).
If you mean private company-wide application, I think Google Apps for Work can do this feature (this will incur additional charge to you though)
4. Is it possible to create Google Apps Marketplace App using service account or client application with Drive API?
Yes, Drive API also uses Domain-wide delegation of Authority in which the domain admin can grant 3rd party apps access to user data.

What is google developer console and project

I need an access to google drive sdk to store and retrive data from web-server but when I tried to get the access, as explained in google drive quick start guide, It says to create project, why is that. and How exactly getting access to drive sdk works?
Google provides a mechanism to allow third party apps to access its APIs. The first step of the process requires you to register the application to Google, eg. so it can bill you for certain access volumes. Your app will be accessing the information, eg the Drive files of end users. They will need to grant permission to your app, so this is a second reason why the app must be registered.
In Google parlance, your app is known as a "Project" and you will "create" (ie. register) your project at the Google Cloud Console.

Using Google Drive SDK to grant another Drive App authorization to file?

I have multiple Google Drive Apps published that have different client ids. When one Drive App creates a file, I would like to set the permissions on that file to allow the second Drive App access to that file. My use case is that from the first applications ui, I would like to allow the end user to launch the second application. Currently, the user needs to leave the first application and go to the drive ui and use the context menu to select open with.
In Google Drive UI, there is a context menu that says "View authorized apps...". I am basically looking for an API to add an entry to that list.
Thanks.
Jeremy
That is not possible. For security reasons, an app can only be granted authorization to see a file via direct user action: specifically opening the file with that app via open-with or the web or Android file pickers.

How to disable offline OAuth2 access from Google Drive SDK initiated connections?

I'm integrating our web app with Google Drive, and got stuck on configuring the conections initiated by the Google Drive UI.
We allow users to open and create files from Drive, but every time OAuth2 session is initiated from the Drive page, it asks for access to files (looks like drive.file scope, which is already given), and also to "Perform these operations when I'm not using the application". I assume the re-authentication is requested because of the offline access, which we never request and don't need. I'd rather not ask users for this if not necessary.
I could not find a way to disable this from the Google API Console. Is there a way to configure the OAuth2 url for sessions initiated from Google Drive UI and set the access_type?
Or, if that is not the issue, what causes the "Perform these operations when I'm not using the application" and constant re-authorisation when files are opened?
if it helps with troubleshooting, the APP id is 399581875395
Answered in Opening file from google drive always requests offline access
Looks like I found a solution for this.
This message will keep appearing if you don't do step2 of the OAuth2 flow with the same client_id and client_secret.
#app.route('/open')
def drive_open_file():
code = request.args.get('code')
if code:
credentials = credentials_from_code("client", "secret",
"https://www.googleapis.com/auth/drive.file",
code,
redirect_uri="<WEBSITE>/open")

External asp.net mvc application accessing files on Google Drive

I would like to build an external asp.net mvc application that has the following features:
The application is accessible via its own domain such as www.itsowndomain.com
The application has access to one Google account (such as itsownaccount#gmail.com) where all the files are stored in the Drive folder. So the users of the application should not have to log into their own Google accounts in order to access the files from this application. The application needs to have automatic access to this (itsownaccount#gmail.com)'s google Drive, that process should be transparent to the user, they should never have to authenticate themselves, its should all happen in the code in the background when the application loads.
The application will use Google Picker to list the files that are in (itsownaccount#gmail.com)'s google Drive folder.
My questions are as follows:
Is what I am trying to do possible, basically using Google Drive as a storage of files and downloading them, uploading new ones and possible editing some from an external application?
Can I use one account because all the files should be publicly available so I do not want users to have to be thinking about authentication in a site just so they can view publicly accessible files?
How do I go about implementing this, is there a tutorial because the ones I have looked at all differ as they mostly try authenticate each user with their own Google account?
you can use Google Drive as the storage solution for your application, check the Google Drive SDK: https://developers.google.com/drive/
Google Drive application usually rely on the users' accounts to store their files, but nothing prevents you from using your account to store all files and make them publicly accessible
there's an ASP.NET MVC tutorial and sample app at https://developers.google.com/drive/examples/dotnet, however, it authenticates each user with his own account. You can start from it and replace the standard OAuth flow with one that always uses your credentials, for instance, by always using a Refresh token that you generated in advance and provided to the app.