Cloud Storage Providers
- Jon Cameron
- Emily Lynema
- ChrisC
- Mason Ballengee
If configured, collection staff can authenticate to cloud storage providers and select files for upload in addition to a local filesystem. directly from the Browse Everything interface in Avalon (the modal window that appears when “Open Dropbox” is selected on the Manage Files edit page).
Providers
Google (Drive)
Enabling a connection to Google Drive requires the creation of an OAuth 2.0 Client ID through the Google API dashboard.
Steps to Enable
Follow the steps at https://developers.google.com/identity/protocols/oauth2 to create an OAuth 2.0 Client ID for your Avalon instance
First you need a Google Developer Account
Add an OAuth 2.0 credential, take note of the id and secret
Use the Client ID and secret in your Avalon site's settings.yml (see Upgrading Avalon 7.2 to Avalon 7.3 for config details)
Add these configs to Avalon. You can share a Redis instance with Avalon or use a separate one.
dropbox:
google_drive:
client_id: <oauth id>
client_secret: <oauth secret>
# redis_token_store_url: redis://host:port # if different from Avalon's RedisOnce configured, restart the app
Google Drive will now appear as a source in the "Open Dropbox" file picker in Avalon
For instructions, see Connecting to Google Drive
Batch ingest does not work with Google Drive. Use the filesystem or S3 (AWS, MinIO, HCP) adapters for batch ingest.
Microsoft (Sharepoint and OneDrive)
This provider will allow access to files in Sharepoint and OneDrive. It routes through the /me/joinedTeams and /me/drives Microsoft Graph API endpoints and will list Teams that the user belongs to and the user's personal drives at the top level. Within each Team, it will expand to list any child drives or files that the user has permission to access. For technical details see Get access on behalf of a user - Microsoft Graph.
Steps to Enable
Register in the Entra Admin center to receive client_id, client_secret, and tenant_id.
Make sure you specify a Web URI re-direct that points to the redirect_url value as specified in the configuration below.
It is not necessary to add an Access token or ID token because browse-everything uses the auth code flow
Add a new client secret for the application registration (max length is 24 months). Before moving on, copy the secret value for the config file (see below). It will not be accessible in the future.
Add API permissions for the application registration. Select type API permissions → Microsoft Graph → Delegated permissions. If using .default endpoint as your scope, minimum permissions should be:
offline_access
openid
profile
Files.Read
Files.Read.All
Files.Read.Selected
Team.ReadBasic.All
User.Read
Learn more about permissions: Web API app registration and API permissions - Microsoft identity platform
Add these values to Avalon’s settings file. Note that scope is a default value that can be copied over
dropbox:
sharepoint:
# Client id and secret generated for the application by Entra Admin Center
# when registering the app
client_id: CLIENT_ID
client_secret: CLIENT_SECRET
# Tenant (organization) id found in Entra Admin Center
tenant_id: TENANT_ID
# Redirect URI assigned in Entra. For Avalon, should be base host name
# with /browse/connect, e.x. 'http://example.com/browse/connect'
redirect_uri: https://avalon-dev.dlib.indiana.edu/browse/connect
# offline_access is needed for refresh tokens to be issued
# .default allows setting permissions through Entra admin dashboard
scope: offline_access https://graph.microsoft.com/.default