Reputation: 1933
How to restrict access token usage with in an api
I use Google Drive as a storage. There are many files in one GD. This GD contains files of multiple users. When some user wants to access his file, I generate access token for specific file. However, this access token can be used to list all files on GD, including others files. I want to put restrict to files.list API on Google Drive. Is there any way to disable files.list API? I use following code to get refresh token for read only access to files
public static async Task<string> generateReaderRefreshToken(string clientID, string clientSecret)
{
string[] scopes = new string[] { DriveService.Scope.DriveReadonly };
ClientSecrets secrets = new ClientSecrets
{
ClientId = clientID,
ClientSecret = clientSecret
};
UserCredential crdls = await GoogleWebAuthorizationBroker.AuthorizeAsync
(secrets,
scopes,
"user",
CancellationToken.None);
return crdls.Token.RefreshToken;
}
Upvotes: 0
Views: 946
Answers (1)
Reputation: 117146
Unfortunately the way Oauth2 works is for the most part you get access to the full drive account when you get access. With the exception of drive.file which gives you access to all the files created by your application.
Valid google drive scopes
Oauth2 user account
For a moment lets assume that you are using a normal oauth client, and using a refresh token to create these access tokens. when you authncated the application the and were shown a consent screen I am gong to assume that you requested access with the following scope
https://www.googleapis.com/auth/drive See, edit, create, and delete all of your Google Drive files
This scope gives you full access to a drive account. It does not limit how much access you have you can see everything and do anything. Within the limits of the drive api of course. Its not going to let you make coffee.
oauth2 service account
Now lets assume that you are using a service account. A service account is bound by the same rules as a normal user. When you authenticated the service account. you probably also used the https://www.googleapis.com/auth/drive it would make sense that the service account would then be able to control all its files. When the service account creates access tokens those access tokens are still going to have access to all the files on the drive account
drive file scope
There is one other scope that cold help you but not as much as you would hope that being the following scope
https://www.googleapis.com/auth/drive.file View and manage Google Drive files and folders that you have opened or created with this app
This scope would limit access to files created by your application. Your application is denoted by the client id or rather the project you created on google developer console. So with this scope you would only have access to files created by this application and not others.
anwser
So while it would be really nice to be able to limit which files an access token grants access to unfortunately thats not possible with the exception of limiting it to all the files created by your application using drive.file. Nor is there a way for you to limit what methods the API can do with a access token.
Access tokens are like keys as long as they are valid they can do anything there permissions grant them access to.
Your code.
The way you seam to have created your application is that you have a console application which you run once to return to you a refresh token that grants read access to "A google drive account". You are then using this refresh token to create new access tokens to allow others to access your account. The issue with this is that you are giving them acess to everything on this account. You cant hide anything from them they have full access.
What you should consider doing is creating a service account. A service account is a dummy user. It has its own drive account. There are two ways to use the service account.
- you can upload files directly to the service accounts drive account. Then using the service acccount to serve the files to your users. As it also has access to read from its account.
- You can create a directory on this "otherDrive" account that you are currently using and share it with the service account just like you would share a directory with any other user. The service account will then have access to read from that and only that directory keeping the rest of the drive account secret.
You might find my article on service accounts interesting Google Developer console service account I also have an example for service account with .net you might find useful ServiceAccount.cs
Upvotes: 1
Related Questions
- How to validate google access token inside of .net backend
- Server-side google authorization
- Limit user authorization to my Google domain
- How to set an OAuth Access Token with C#
- Google Drive api .Net Client Simple Authorization with existing access token
- How to limit user to only one access token in ASP.NET Identity
- How to manage API side authorization for Google?
- Restrict API Usage
- Google API & OAuth2
- How to have each user with their own API limits?