I’m building an app that needs to connect to various Google services. Right now I have successfully implemented OAuth 2.0 device flow for Calendar API and Cloud Print API, and both work perfectly.
However, when I try to use the same authentication method for Google Drive API, I keep getting an “invalid_scope” error. I remember reading somewhere that Google was restricting which scopes work with device authentication, but I’m not sure if this has changed recently.
Has anyone managed to get Drive API working with device flow lately? My clients really need this functionality and I’m wondering if there’s a workaround or if the restrictions have been lifted.
Here’s what I’m sending:
POST /o/oauth2/device/code HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
client_id=my_client_id&scope=https://www.googleapis.com/auth/drive
Hit the same wall six months back building a backup tool. Google’s Drive API scope limitation with device flow is still there and they’re not budging on it. I ended up using authorization code flow with PKCE instead - you get the security without needing a client secret. Set your redirect URI to a custom scheme that bounces back to your app, and it feels almost as smooth as device flow. More setup work upfront, but once users auth once, those refresh tokens stick around way longer than expected. Plus if you’re working with enterprise clients, they usually like this better since it plays nice with their SSO setup.
Google restricted Drive API scope for device flow authentication years ago and it’s still blocked. Device flow only works with Calendar and a few other specific scopes - Drive needs a different auth method. I hit this exact problem when migrating an app last year. My workaround was switching to authorization code flow with a local redirect URI. You can spin up a temporary local server on localhost to catch the callback, which feels pretty similar to device flow for users. It’s more complex to code but gets you full Drive API access without restrictions. You could also try a service account if that works for your setup, though the permissions are different and might not fit what your client needs.
yeah, drive scope’s been blocked forever - super annoying. I switched to the installed app flow instead. it’s a bit clunky since it opens a browser for auth then bounces back to your app, but works great once you’ve got it set up. the google auth libraries handle most of the heavy lifting for ya.