Google Drive embed viewer broken authenication

[davidjgraph]

New attempts to authenicate users to embed Google Drive located files using viewer.diagrams.net will fail currently with a message stating the app is blocked.

The viewer uses a Google Cloud project with specific scopes that indicate which permissions it has. At some point on or before 3rd June 2024, Google disabled the verified status of the project, without informing us. We knew nothing about this until a user pointed the issue out.

This isn't unusual for Google, they change the status of projects and disable apps without notification (for those who remember #4212). The reason is likely due to our use of drive.readonly scope, https://developers.google.com/drive/api/guides/api-specific-auth, which is a restricted scope.

The preferred scope is drive.file, which is the scope used for the app with app.diagrams.net. The problem with drive.file, in the context it’s used as a viewer, is if a user has not opened the file with the diagrams.net editor then they won’t be able to view the diagram with the viewer. Thus, you'll end up with a lot of users being shown that they don't have permission to view the file, whereas their Google permission is correct.

After a number of emails incorrectly explaining the problem, we have a email saying we need to perform a CASA audit for the viewer, which is a minimum of 6 weeks. Since we cannot leave the viewer auth broken for that long, we'll have to just switch to drive.file, using the existing project ID of app.diagrams.net.

If you get case of users no longer being able to view diagrams, we should be able to implement a link to drive.google.com with a prompt to open the file from drive first.

If you can make the Google Drive file public, that will avoid this problem.

[davidjgraph]

Update : 24.5.1 is released with the scope changed to drive.file. We're working on more informative messaging in the error displayed.