I’m working on a Chrome extension that needs to connect with Google Drive API. I’m confused about which authentication method to use because I’m getting different recommendations from different sources.
The Chrome extension docs suggest using OpenID for user authentication. But when I look at Google Drive API documentation, they recommend OAuth2 instead.
I’m not sure if I should implement both authentication methods or just pick one. My main concern is what happens when a user signs in through OpenID first, and then tries to access a file from their Google Drive. Will I be able to connect these two authentication sessions to the same user account? Or do I need to handle this differently?
Has anyone dealt with this kind of authentication setup before? What’s the best approach here?
i’d say go with oauth2. tried both and it just got messy - really complicated. oauth2 is what google’s apis use, so you get both auth and access seamlessly. openid is more for just user ID when you don’t actually need their data.
In my experience with similar projects, I recommend focusing solely on OAuth2 for your Chrome extension integrated with Google Drive. OpenID Connect is indeed built on OAuth2, but for accessing Google Drive, OAuth2 is the standard approach. When you implement OAuth2, you not only authenticate the user but also gain access to their Drive resources seamlessly. Requesting the necessary scopes at the beginning allows you to streamline the consent process, ensuring a smoother user experience while maintaining security.
Google uses OpenID Connect, which sits on top of OAuth2 - so you’re not really picking between different systems. The docs just use different terms for the same protocol, which confuses everyone. For Chrome extensions hitting Google Drive, go with chrome.identity API and OAuth2 flows. It handles user auth and API permissions at once. Just make sure you request the right scopes upfront - throw in both identity scopes and Drive API scopes. That way you authenticate the user and grab Drive access in one shot, no juggling separate auth flows or dealing with session headaches.