A simple self-hosted web app for authorising selected Google API Oauth2 scopes via self-defined API credentials. Supports Google Drive, Google Photos and Youtube.
This app provides an intuitive and a straightforward way for user to perform OAuth flow authorisation process to grant certain level of access to specific parts Google services via self-defined API client credentials to third party app such as rclone and alist etc.
Rclone hardcodes redirect URI to http://localhost:53682 for Google Drive. This means that you'd always need to complete Oauth2 flow on another machine that has GUI environment. With this app, you can throw this concern out the window, you can complete your Oauth2 flow authentication of a new rclone remote remotely here, no machine GUI required. Besides that, you can customize each scope and its respective permission, providing fine-grained control over access.
I built this app with privacy and data protection in mind. I have security and privacy concerns over public services who offer to generate tokens or refresh code. For one, I might have ended up granting broader scopes than necessary in public token generator when the app would work just the same by providing just enough privilege and level access. Number two, the public token generator will definitely have access to the finalized token which can then be used to access whichever scopes you've granted previously. What he does with it is up to anyone's guess.
Thus, I decided to take it upon my shoulders to provide a GUI option for users who wish to grant third party access to specific Google services but opt for custom API client instead.
Important
Please refrain from using the demo app I've deployed to generate access token, please deploy your own copy instead.
- supports headless machine, GUI environment is not required for completing OAuth 2.0 flow
- self-hosted, full control over your own data
- privacy-oriented, manually clear session anytime you want to start over or exit
- clears record every 12 hours
- open-source
- light-weight design
- cookie support, remembers last used state
- fine-grained control over level of access(read-only or full access)
- convenient deployment via Streamlit
Prerequisites
- Head over to Google cloud console, create your project if you haven't already and
download your client secret. Make sure to select 'Web application' from the 'Application type' dropdown-menu when
you're creating OAuth client
ID.
- Under the 'Authorised redirect URIs' section, fill in the redirect URI at which your app is hosted. For example, in
local streamlit environment, the app is usually hosted at http://localhost:8501. Copy or rename
.streamlit/secrets.toml.sampleto.streamlit/secrets.tomland ensure the redirect URI specified in Google Cloud Project->Credentials->OAuth client ID section match that of.streamlit/secrets.tomlfile. Once again, ensure both values are the same and end with this exact trailing path, /callback. For example,http://localhost/8501/callback
- Finally, download the credential json file for your OAuth2 client ID.
Direct Deployment (recommended)
- You may deploy this app locally or remotely. Ensure you have python3 installed.
- Get a copy of this repository via git clone (forking your own copy is recommended) and in your CLI, head over to the project root.
- Install packages with
pip install -r requirements.txt. - Start and execute the app with
streamlit run Home.py. - You should see your app up and running at port 8501 or whichever port that's specified in the terminal if 8501 has been occupied.
via Streamlit Community Cloud
- Sign in or register here.
- Click the 'fork' button on the top right corner of my demo app to fork and deploy your own copy.
- Fill in the Github repository containing the source code. For example
eattrenclenhard/Sho-Timeor your own repo. - Select 'Home.py' as entry point under 'Main file path'
- Fill in the base URL of your app, has to match that of step 6.
- In 'Advanced settings', fill in the URL where your app is going to be hosted on Streamlit, remember, it has to match any of the URIs you filled in earlier in Google Cloud console Client ID section and has to match that of step 5.
