Google Drive OAuth – Will my app get verified if my redirect URI is localhost?
I am writing a web app that makes use of the Google Drive API and that I plan to distribute for users to run locally.
I am planning to go through the lengthy OAuth verification process but wanted to ask first whether having localhost as the redirect URI would be allowed. I know that when the app is in testing, it's fine, but then I have a limit of 100 users (same as if the app is unverified). So I need to publish.
I see here in the documentation that localhost URI's are exempt from the HTTPS scheme. However, I'm still unsure of whether the localhost URI is allowed for verified apps. Does anyone know or have a link to the documentation that explicitly says this?
I am writing a web app that makes use of the Google Drive API and that I plan to distribute for users to run locally.
Users would not normally run a web application locally. Web applications should be hosted on a web server. Web client credentials can not be verified and run in production using localhost as a redirect uri.
Have you considered an installed application instead? Desktop apps will run on the users machine. And you will not have a redirect uri issue as the standard redirect uri for installed applications https://127.0.0.1
I am planning to go through the lengthy OAuth verification process.
If you are giving this application as in the source code of the application to other users, you don't need to verify the application. You can not give others your client id and client secret, as part of the TOS you agreed to when you created your project, you agreed not to share it. You will need to instruct the users of your app on how to create their own project and verify it.
See: Can I really not ship open source with Client ID?
I see here in the documentation that localhost URI's are exempt from the HTTPS scheme.
This is only for installed applications, its not going to work for web applications. and it wont work for production apps.
There is actually another link you should check Use secure redirect URIs and JavaScript origins
This page states that you cant use http and you will normally get
documentation conflict
as there seems to be a conflict between Redirect URI validation rules and Use secure redirect URIs and JavaScript origins I have sent an email off to a contact on the Oauth team, to see if we cant get the documentation clarified.
- Error 400: invalid_scope with Postman and Google OAuth2
- Issues Adding SMTP.Send Permission to Azure Application for Office 365 SMTP
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- OAuth Client Credential Flow - Refresh Tokens
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?
- AADSTS70000 Error When Requesting for Access Token
- Is storing an OAuth token in cookies bad practice?
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
- Restrict Microsoft Azure App OAuth2.0 to Internal Users