"This app is blocked" on read_only access

[dv-rastogi]

Hi!
I tried the following code snippet:

import gdrivefs
from urllib.parse import urlparse

repo_url = 'https://drive.google.com/drive/folders/some-folder-id?usp=sharing'
parsed = urlparse(repo_url)
folder_id = parsed.path.split('/')[-1]
gdfs = gdrivefs.GoogleDriveFileSystem(token='browser', root_file_id=folder_id, access='read_only')
print(gdfs.ls(""))

On running the above, I get an OAuth2 URL which I use to authorize the application (PyData Authentication). Upon visiting the link, I get the following error:

Kindly note the access='read-only' argument. I don't get the error with access='full_control'.
Any and all help will be appreciated! Thanks!

[martindurant]

@tswast

I don't get the error with access='full_control'

This might mean that a previous auth was cached.

[dv-rastogi]

Hi @martindurant!
I don't think that my previous auth is cached.
I confirmed that with the absence of the credentials json stored at pydata_google_auth.cache.READ_WRITE._path

[martindurant]

I was a guess. I am hoping @tswast can clarify what's going on.

[tswast]

I see gdrivefs is using pydata-google-auth without overriding client_id and client_secret

gdrivefs/gdrivefs/core.py

Line 96 in d374a21

return pydata_google_auth.get_user_credentials(self.scopes)

This means it's limited to the scopes which have been approved for the pydata-auth GCP project.

Currently only the https://www.googleapis.com/auth/cloud-platform scope is approved. I recall that https://www.googleapis.com/auth/drive also used to be approved, but that no longer appears to be the case.

Likely the same issue reported here: pydata/pydata-google-auth#49

My recommendation is to create a GCP project specifically for gdrivefs and go through the steps described here: https://developers.google.com/apps-script/guides/client-verification

I attempted to add drive scopes again, but got back this response from the verification team:

Consistent Branding

Under the Google API Services User Data Policy, your project must accurately show its identity to users when it requests access to their data.

To fix any issues, please update the icon and other relevant content on the OAuth Consent Screen of the Google API Console. Make sure your project accurately shows its true identity to Google users.

App Demonstration Video

Every OAuth project that requests sensitive scopes must provide a YouTube video of their app that follows these requirements:

Video is publicly accessible.
OAuth Consent Screen is in English.
OAuth Consent Screen shows the App Name.
URL bar of the OAuth Consent Screen fully displays the Client ID in your project which contains the project_number (This is not required for native Android and iOS apps).
Video shows the OAuth grant process that users will go through.
Video shows how the data will be used by showing functionality for each sensitive and restricted scope you've requested.
Video shows how data is accessed on each OAuth client.

While these challenges probably aren't insurmountable, I don't have time at the moment to dedicate to this.