One way in which Google have improved the security of Google Drive APIs in the last few years is by eliminating support for older browsers and authentication mechanisms. For this reason, the plugin is enhanced with approved techniques using Google Sign-in.

Successful authorization results in Google issuing an authorization token - thus you usually only need to authorize a new database once.

Authorization Walkthrough

When you invoke a sync command from the plugin menu, the plugin will determine if first you need to authorize. If so, it will display this prompt window:

Authorization Prompt

This prompt notifies you that your consent is needed to operate the plugin. Because the plugin also opens the Windows-default web browser application, the prompt and KeePass may become hidden behind the Google Sign-in page display. The image below shows the plugin waiting for the user enter credentials in the Google Sign-in page. The Google Sign-in page may have a different appearance if the browser is already signed on to Google.

Prompt and Google Sign-in Page

After you successfully sign on in the browser, the Google authentication service may prompt you confirm your consent, showing a page similar to the image below:

Google Authorization Confirmation

While this warning is true, please understand that the plugin only accesses Drive files that have the same name as your KeePass database file. The plugin does not access, create, or delete any Drive file or folder except the KeePass database it is configured to access.

If you click Allow above, you may then be prompted to affirm, as shown:

Google Authorization Confirmation

After you click Allow, the browser will show a “return to KeePass” message. The plugin will automatically close the prompt dialog, and begin processing the command that initiated the authorization sequence. If the command was Sync with Drive, KeePass will show a message in its status bar after the command completes successfully, such as shown below.

Sync complete status

Authorization Issues

If Google Sign-in does not authorize the plugin, the browser may display an error such as this:

KGS 3.0 credentials retired

If this or a similar error message appears, try the following configuration options:

Authorization Tokens

When you successfully authorize, the Google Sign-in service issues an authorization token which the plugin saves to the database. This token is proof of your consent, and the plugin will henceforth send it in each request to use the Google Drive API.

Because the token is securely saved in the database, you can use plugin commands without reauthorizing each KeePass session.

Occasionally however, reauthorization will be required. There are basically only two conditions which require the plugin to obtain a new authorization token:

  • Syncing a new database.
  • Expired or authorization tokens retired by Google saved in an existing database.

The latter case can occur when an authorization granted to this or the old plugin for an existing database expires, or is inadvertantly revoked by a Google “security checkup” initiated by an unwary user.

The plugin initiates the authorization sequence whenever a command requires a new or refreshed token.

KeePass Sync for Google Drive™

Secure sync automation with Drive.