Feat: Google drive supports web-based credentials (#11173)

### What problem does this PR solve? Google drive supports web-based credentials. <img width="1204" height="612" alt="image" src="https://github.com/user-attachments/assets/70291c63-a2dd-4a80-ae20-807fe034cdbc" /> ### Type of change - [x] New Feature (non-breaking change which adds functionality)
2025-12-08 12:32:30 +08:00 · 2025-11-11 17:21:08 +08:00
parent 8ddeaca3d6
commit d81e4095de
8 changed files with 754 additions and 27 deletions
--- a/common/data_source/config.py
+++ b/common/data_source/config.py
@ -190,6 +190,7 @@ OAUTH_GOOGLE_DRIVE_CLIENT_ID = os.environ.get("OAUTH_GOOGLE_DRIVE_CLIENT_ID", ""
 OAUTH_GOOGLE_DRIVE_CLIENT_SECRET = os.environ.get(
    "OAUTH_GOOGLE_DRIVE_CLIENT_SECRET", ""
 )
+GOOGLE_DRIVE_WEB_OAUTH_REDIRECT_URI = os.environ.get("GOOGLE_DRIVE_WEB_OAUTH_REDIRECT_URI", "http://localhost:9380/v1/connector/google-drive/oauth/web/callback")

 CONFLUENCE_OAUTH_TOKEN_URL = "https://auth.atlassian.com/oauth/token"
 RATE_LIMIT_MESSAGE_LOWERCASE = "Rate limit exceeded".lower()
--- a/common/data_source/google_util/constant.py
+++ b/common/data_source/google_util/constant.py
@ -47,3 +47,57 @@ USER_FIELDS = "nextPageToken, users(primaryEmail)"
 # Error message substrings
 MISSING_SCOPES_ERROR_STR = "client not authorized for any of the scopes requested"
 SCOPE_INSTRUCTIONS = ""
+
+
+GOOGLE_DRIVE_WEB_OAUTH_POPUP_TEMPLATE = """<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <title>Google Drive Authorization</title>
+  <style>
+    body {{
+      font-family: Arial, sans-serif;
+      background: #f8fafc;
+      color: #0f172a;
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      justify-content: center;
+      min-height: 100vh;
+      margin: 0;
+    }}
+    .card {{
+      background: white;
+      padding: 32px;
+      border-radius: 12px;
+      box-shadow: 0 8px 30px rgba(15, 23, 42, 0.1);
+      max-width: 420px;
+      text-align: center;
+    }}
+    h1 {{
+      font-size: 1.5rem;
+      margin-bottom: 12px;
+    }}
+    p {{
+      font-size: 0.95rem;
+      line-height: 1.5;
+    }}
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>{heading}</h1>
+    <p>{message}</p>
+    <p>You can close this window.</p>
+  </div>
+  <script>
+    (function(){{
+      if (window.opener) {{
+        window.opener.postMessage({payload_json}, "*");
+      }}
+      {auto_close}
+    }})();
+  </script>
+</body>
+</html>
+"""
--- a/common/data_source/google_util/oauth_flow.py
+++ b/common/data_source/google_util/oauth_flow.py
@ -3,9 +3,15 @@ import os
 import threading
 from typing import Any, Callable

+import requests
+
 from common.data_source.config import DocumentSource
 from common.data_source.google_util.constant import GOOGLE_SCOPES

+GOOGLE_DEVICE_CODE_URL = "https://oauth2.googleapis.com/device/code"
+GOOGLE_DEVICE_TOKEN_URL = "https://oauth2.googleapis.com/token"
+DEFAULT_DEVICE_INTERVAL = 5
+

 def _get_requested_scopes(source: DocumentSource) -> list[str]:
    """Return the scopes to request, honoring an optional override env var."""
@ -49,6 +55,62 @@ def _run_with_timeout(func: Callable[[], Any], timeout_secs: int, timeout_messag
    return result.get("value")


+def _extract_client_info(credentials: dict[str, Any]) -> tuple[str, str | None]:
+    if "client_id" in credentials:
+        return credentials["client_id"], credentials.get("client_secret")
+    for key in ("installed", "web"):
+        if key in credentials and isinstance(credentials[key], dict):
+            nested = credentials[key]
+            if "client_id" not in nested:
+                break
+            return nested["client_id"], nested.get("client_secret")
+    raise ValueError("Provided Google OAuth credentials are missing client_id.")
+
+
+def start_device_authorization_flow(
+    credentials: dict[str, Any],
+    source: DocumentSource,
+) -> tuple[dict[str, Any], dict[str, Any]]:
+    client_id, client_secret = _extract_client_info(credentials)
+    data = {
+        "client_id": client_id,
+        "scope": " ".join(_get_requested_scopes(source)),
+    }
+    if client_secret:
+        data["client_secret"] = client_secret
+    resp = requests.post(GOOGLE_DEVICE_CODE_URL, data=data, timeout=15)
+    resp.raise_for_status()
+    payload = resp.json()
+    state = {
+        "client_id": client_id,
+        "client_secret": client_secret,
+        "device_code": payload.get("device_code"),
+        "interval": payload.get("interval", DEFAULT_DEVICE_INTERVAL),
+    }
+    response_data = {
+        "user_code": payload.get("user_code"),
+        "verification_url": payload.get("verification_url") or payload.get("verification_uri"),
+        "verification_url_complete": payload.get("verification_url_complete")
+        or payload.get("verification_uri_complete"),
+        "expires_in": payload.get("expires_in"),
+        "interval": state["interval"],
+    }
+    return state, response_data
+
+
+def poll_device_authorization_flow(state: dict[str, Any]) -> dict[str, Any]:
+    data = {
+        "client_id": state["client_id"],
+        "device_code": state["device_code"],
+        "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
+    }
+    if state.get("client_secret"):
+        data["client_secret"] = state["client_secret"]
+    resp = requests.post(GOOGLE_DEVICE_TOKEN_URL, data=data, timeout=20)
+    resp.raise_for_status()
+    return resp.json()
+
+
 def _run_local_server_flow(client_config: dict[str, Any], source: DocumentSource) -> dict[str, Any]:
    """Launch the standard Google OAuth local-server flow to mint user tokens."""
    from google_auth_oauthlib.flow import InstalledAppFlow  # type: ignore