'Is there a way to share a google drive file made in my application with another user's instance of my application?

I'm writing a desktop application that a user can run which saves documents into that users google drive. What I want is to allow user-A to share that document through my application with a user-B, and have user-B be able to open it in the application for collaboration. I've been digging through documentation for a while, and I found that this doesn't seem to be possible without using some hacky workarounds so I'm wondering if I'm missing something, or perhaps someone could offer advice about implementing these workarounds in a way that isn't dangerous...

Approach 1: Use auth/drive scope instead of auth/drive.file

This works, but is serious overkill. I don't need permission for a users entire google drive, and this falls outside the lines of acceptable uses for auth/drive permission, so I'm not likely to get my app verified doing this. Using auth/drive.file scope doesn't work at all, as it only grants access to files "created or shared with my application by the user" which they did not do. Even if the file in question is set to shared-with-everyone, my application still can't open it.

Approach 2: Use a service account to access the file

I can create a service account, and user-A can share the file with the service account, then user-B can access the file through the service account. The issue with this solution is that allowing my desktop application to authenticate as a service account means a malicious user could reverse engineer the credentials. I know a malicious user with the service account could ask the drive api for a list of all files that have been shared with that service account and overwrite them. Even if user-A set the file to shared-with-everyone instead of directly with the service account, it still appears in the service accounts drive/files:list if the service account has touched the file. And there doesn't seem to be a way to remove the item from that list whatsoever, And I also can't find a way to restrict a service account so it can't use that endpoint, so this would remain a vulnerability.

Approach 3: Use the google file picker?

From what I can gather, it seems the google file picker could be used by user-B to specifically grant my application access to any file directly. This both seems to be a serious inconvenience to user-B, as they'd need to go through a separate web browser to use my desktop application. But on top of that, the google picker api is tailored for web applications, which I am not, so I don't even have the slightest clue how to set this up in the first place.

google-drive-api


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Python: download files from google drive using url

Updating multiple appscript projects from one appscript

New Google Drive Ignores IconLink Property on File

How to set image thumbnail for file stored on Google Drive

Download file google drive python

How to download file from Google Drive with link in Android?

Using Python to do basic Google Drive operations without web server authentication

Is Google Colab notebook sharing my Drive data with the notebook author?

Create new file in a folder with Apps Script using Google Advanced Drive service

Drive Api - large file stream in nodejs

Google Drive - Access Drive without consent form (Username/password known)

Android : copy file to Google Drive using Google Drive API - what is best approach?

File not found error Google Drive API

How to read all of the files in a specific directory in google drive using python?

backup files to google drive using PHP