Skip to content


Alessandro Strada edited this page Sep 20, 2019 · 9 revisions

Standard authorization mode

Authorization is provided by a Google App Engine service (the source code of the service is here). When you start the program without specifying a mountpoint,

$ google-drive-ocamlfuse

the executable opens a web browser (using xdg-open, or, if xdg-open is not available, launching firefox or google-chrome), showing a page that will ask you to authorize access to your Google Drive. If you allow it, the Google authorization endpoint will connect to the GAE service, providing a verification code, that will be exchanged for an access token and a refresh token (for offline access). Meanwhile, google-drive-ocamlfuse polls the GAE service, asking for tokens, until it gets them, or there is an error, or a timeout triggers. You might need to close the browser for the executable to continue its operation. If anything goes wrong, you can safely restart the application, and it will try to recover. If it cannot recover, you should clean the content of ~/.gdfuse/default to start from scratch. Otherwise, if the application can retrieve the tokens, the program will exit and you may then mount the Google Drive filesystem. google-drive-ocamlfuse will also use the GAE service when it needs to refresh the access token (access tokens usually are valid for 60 minutes). The GAE service has two purposes: to make the authorization process simpler (removing all manual steps), and to avoid exposing the OAuth2 client secret of the application (otherwise anyone can impersonate it).

Alternative authorization mode

If you don't trust the GAE service, there is an alternative way to authorize the application, that doesn't involve external services. If you have your own OAuth2 client ID and client secret, you may pass them on the command line (the first time you issue the application), e.g.:

$ google-drive-ocamlfuse -id -secret abcde12345

This way, the application will use your credentials, and will not connect to the GAE service. A browser will be started pointing to an authorization page, and when you allow access to Google Drive, a verification code will be generated. You have to copy this verification code, and paste it in the console where the application is running.

Please enter the verification code: 1/12309afhaskfhlskhfklsfslkhfskhfskskdfh

If everything goes fine, the application will notify you that it has retrieved the tokens from Google.

Access token retrieved correctly.

You can create OAuth2 credentials from the Google APIs Console. Here you can find how to create a new application and here how to set up OAuth 2.0 credentials. When activating APIs, you must select the Drive API. When creating a new client ID, you must select "Installed applications" as Application type and "Other" as Installed application type (Redirect URI should be urn:ietf:wg:oauth:2.0:oob). Check that Drive API is among the Enabled APIs of your Developers Console.

Revoking access

Anyway, you can always revoke access to Google Drive from here.

Service accounts & device mode

If you want you can use a service account that is useful to access the users' Drive of a G Suite domain.

You can also use a simpler authorization flow specific for TVs and limited-input devices, but this way you won't have access to all the files in your Drive.

You can’t perform that action at this time.