Google Drive API Application data accessing credentials from Web browser(Javascript)

Question

I'm trying to obtain credentials from Google Console to access my Application Drive data through Web browser(Javascript) option (In order to use Picker API latter on). But when I select option Application data(Access data belonging to your own application) I got the message:

Application data cannot be accessed securely from a web browser. Please consider selecting another platform.

Can anyone explain, why It is not secure, and how can I access my application data using Web browser, maybe should choose different credentials?

Thanks.

Answer 1

You can access your Google Drive Data in three possible ways:

• Browser through OAuth: a pop-up opens to the user, he logs into his/her Google account and get an access-token. You pass this token as the parameter key in every request you make to the drive api.
• Browser through api key: there's no need to log in, Google need this key only to know which app is using their services. It's the simplest option, you use this when you don't have a server-side application and need to access only public data. You can't access any private file through this method.
• Serverside: You use a private key to authenticate. All requests to the drive api MUST be made only in the backend, it would be insecure to share your key in a javascript code.

I suppose you're trying the second option. I had the same problem, when you are going through the step-by-step it says it would be insecure for Drive, which I don't understand, since you'd be sharing a public key and be acessing only publicly available files.

To generate this key you can go https://console.developers.google.com/apis/credentials click "create creadential" and select "API key".

Just remember, the api key is useless to do anything you'd need special permissions to, the only thing you can do with this is read public files/folders.

Now, if it's not the second option you need, if you need to access private data of your application in the browser. It's not possible for the exact reason it says it isn't, it's not secure. The key would be visible in every request you make, it would be very easy for someone to steal your key and do whatever he/she wants to your Drive account.

But, if you need to access private stuff in the browser I suppose you have a login system, if not, there's no reason for it to be private in Google Drive (anyone would have access anyway). If you have a login system you must have a server-side application. In this case, the correct thing to do is move all your calls to the Drive api to your backend and use a private key (third option in the previous list) to authenticate.

Answer 2

Found this on Drive's Application Data guide.

To be able to use your Application Data folder, request access to the following scope:

https://www.googleapis.com/auth/drive.appdata

It also might help if you read more on Working with the Application Data folder. Hope that helps.