Google Drive requires authentication despite public folder access

Question

If a folder has a permission that allows anyone with the link the read, trying to download specific file from that folder using

https://googledrive.com/host/<<<folder_id>>>/<<<file_name>>>

will redirect to the Google service login page.

However if the folder has a permission that allows anyone to find it and read the file will be downloaded correctly without being redirected to the service login page.

Is this the intended behavior despite the UI claiming "... no login required"?

Answer 1

Yes, that is intended behavior. The URL you're trying to build is from Drive's hosting feature. That requires using the "Public on the web" permission to be accessible there.

Using the lesser permission, it is possible to download via the UI with the link from sharing.

If you're looking for programatic downloads, you can use the Drive API to download without authentication (https://www.googleapis.com/drive/v2/files/FILE_ID?alt=media&key=YOUR_KEY) although that requires at least an API key for the registered app.

Update:

Please note that the server only responds with the headers needed for CORS when a valid origin header is present (browsers normally include this, so don't typically need to do anything.) For example:

curl -vv 'https://www.googleapis.com/drive/v2/files/FILE_ID_HERE?key=YOUR_API_KEY&alt=media' > out.tmp

The above request will not yield access-control-* headers. Including an origin header as a browser would does:

curl -H 'origin: https://www.example.com' -vv 'https://www.googleapis.com/drive/v2/files/FILE_ID_HERE?key=YOUR_API_KEY&alt=media' > out.tmp