Creating OAuth Credentials for Cloud Storage

Set up your own OAuth app for secure cloud storage connections

What You'll Learn
  • What OAuth is and why it matters for your privacy
  • Understanding Client ID, Client Secret, and scopes
  • How to create OAuth credentials for Google Drive
  • How to create OAuth credentials for OneDrive
  • Which scopes to choose for different use cases

Understanding OAuth

OAuth (Open Authorization) is a standard protocol that allows applications to access your data without exposing your password. When you connect Google Drive or OneDrive to FileFortress, OAuth is what makes that connection possible.

Why Bring Your Own OAuth?

When you use FileFortress's default OAuth application, you're using credentials shared with all other users. By creating your own OAuth app, you get:

  • Complete privacy — FileFortress never touches your access tokens
  • Full control — You decide exactly which permissions (scopes) to grant
  • Independent quota — Your own API limits, not shared with other users
  • Audit trail — See exactly what apps access your data in your provider's dashboard

Key Concepts

Client ID

A public identifier for your OAuth app. Think of it like a username that tells Google or Microsoft which app is requesting access.

Client Secret

A confidential password for your OAuth app. This proves that the app requesting access is really yours. Keep this secure and never share it.

Understanding Scopes

Scopes define what permissions your OAuth app requests. They're like a list of things you're allowing FileFortress to do with your cloud storage. Common scopes include:

Scope What It Allows When to Use
drive.readonly Read files and folders only When you only need to search and view files
drive Full read/write access to Drive When you need to modify or delete files
Files.Read Read files in OneDrive Basic read-only access for OneDrive
Files.ReadWrite.All Full access to all files When you need write access to OneDrive
Recommendation

For most FileFortress users, read-only scopes are sufficient. FileFortress only needs to read file metadata to build your search index. Only grant write access if you plan to use features that modify files.

Google Drive Setup

Follow these steps to create OAuth credentials for Google Drive:

Step 1: Access Google Cloud Console

Go to the Google Cloud Console and sign in with your Google account.

Step 2: Create a New Project

  1. Click the project selector dropdown at the top of the page
  2. Click New Project
  3. Enter a project name (e.g., "FileFortress OAuth")
  4. Click Create
Tip

You can use an existing project if you prefer, but creating a dedicated project keeps things organized and makes it easier to manage permissions later.

Step 3: Enable the Google Drive API

  1. With your project selected, go to APIs & ServicesLibrary
  2. Search for "Google Drive API"
  3. Click on Google Drive API
  4. Click Enable

Step 4: Configure the OAuth Consent Screen

  1. Go to APIs & ServicesOAuth consent screen
  2. Select External as the user type (unless you're a Google Workspace user)
  3. Click Create
  4. Fill in the required fields:
    • App name: FileFortress (or any name you'll recognize)
    • User support email: Your email address
    • Developer contact information: Your email address
  5. Click Save and Continue
  6. On the Scopes screen, click Add or Remove Scopes
  7. Select the scopes you need (see recommendations below)
  8. Click Save and Continue
  9. On the Test users screen, add your Google account email if you're testing
  10. Click Save and Continue

Step 5: Create OAuth Credentials

  1. Go to APIs & ServicesCredentials
  2. Click Create CredentialsOAuth client ID
  3. Select Desktop app as the application type
  4. Enter a name (e.g., "FileFortress Desktop")
  5. Click Create
  6. You'll see a popup with your Client ID and Client Secret
  7. Copy both values and store them securely — the Client Secret will not be shown again!
Important

If you lose your Client Secret, you'll need to create new credentials. You cannot retrieve the secret after closing the popup.

Recommended Scopes for Google Drive

# For read-only access (recommended for most users)
https://www.googleapis.com/auth/drive.readonly

# For full read/write access (only if needed)
https://www.googleapis.com/auth/drive

OneDrive Setup

Follow these steps to create OAuth credentials for OneDrive:

Step 1: Access Azure Portal

Go to the Azure Portal and sign in with your Microsoft account.

Note

You don't need an Azure subscription to create OAuth apps. The free tier of Azure Active Directory is sufficient.

Step 2: Register a New Application

  1. Go to Microsoft Entra ID (or search for "App registrations")
  2. Click App registrations in the left sidebar
  3. Click New registration
  4. Fill in the registration form:
    • Name: FileFortress (or any name you'll recognize)
    • Supported account types: Accounts in any organizational directory and personal Microsoft accounts
    • Redirect URI: Select "Public client/native (mobile & desktop)" and enter: http://localhost:0
  5. Click Register

Step 3: Get Your Credentials

After registration, you'll be taken to your app's overview page:

  1. Copy the Application (client) ID — this is your Client ID
  2. In the left sidebar, click Certificates & secrets
  3. Click New client secret
  4. Enter a description (e.g., "FileFortress Secret")
  5. Select an expiration period (we recommend 24 months)
  6. Click Add
  7. Copy the secret Value immediately — it will not be shown again!

Step 4: Configure API Permissions

  1. In your app registration, click API permissions in the left sidebar
  2. Click Add a permission
  3. Select Microsoft Graph
  4. Select Delegated permissions
  5. Search for and add the scopes you need (see recommendations below)
  6. Click Add permissions

Recommended Scopes for OneDrive

# For read-only access (recommended for most users)
Files.Read
User.Read

# For full read/write access (only if needed)
Files.ReadWrite.All
User.Read
offline_access
About offline_access

The offline_access scope allows FileFortress to refresh your access tokens automatically. Without this, you'll need to re-authenticate every hour. We recommend including this scope for a better user experience.

Using Your Credentials with FileFortress

Now that you have your Client ID and Client Secret, you can connect your cloud storage:

# Start the interactive OAuth setup
filefortress remotes add oauth

# Or specify everything upfront (non-interactive)
filefortress remotes add oauth \
  --provider gdrive \
  --name "My Google Drive" \
  --client-id YOUR_CLIENT_ID \
  --client-secret YOUR_CLIENT_SECRET

# For OneDrive
filefortress remotes add oauth \
  --provider onedrive \
  --name "My OneDrive" \
  --client-id YOUR_CLIENT_ID \
  --client-secret YOUR_CLIENT_SECRET

Security Best Practices

🔒 Keep Secrets Secure

Never commit your Client Secret to version control. Use environment variables or secret files.

📝 Audit Regularly

Review your OAuth app's activity in Google Cloud Console or Azure Portal periodically.

🚫 Use Minimum Permissions

Only request scopes you actually need. Read-only is sufficient for most FileFortress use cases.

🔄 Rotate Secrets

Create new credentials periodically and delete old ones to maintain security.

Publishing Status

Google and Microsoft apps start in "Testing" mode, which works fine for personal use. If you hit user limits (Google allows 100 test users), you may need to submit your app for verification. For personal use with FileFortress, Testing mode is typically sufficient.

Troubleshooting

"App is not verified" Warning

Both Google and Microsoft may show a warning that your app isn't verified. This is normal for personal OAuth apps. Click "Advanced" or "Continue anyway" to proceed. Your app is only accessing your own data, so this warning is just a standard security measure.

Invalid Client or Unauthorized

  • Double-check you've copied the Client ID and Secret correctly
  • Ensure the OAuth consent screen is configured (for Google)
  • Verify the correct API permissions/scopes are added
  • For Google: Make sure you're added as a test user if the app is in Testing mode

Token Refresh Failures

If your connection stops working after some time:

  • For Google: Ensure the app isn't in "Publishing status: In production" without verification if you have sensitive scopes
  • For Microsoft: Check that the offline_access scope was included
  • Try reconfiguring the remote: filefortress remotes add oauth --reconfigure

Related Articles