Scoped token based authentication

[pikausp]

I would absolutely love scoped tokens and their management in Drive WebApp which would be used to authenticate accounts (whether they use 2FA or not).

Ideally user could create a token which can have multiple different scopes. This token has expiration, but can be extended (similar to WireGuard credentials). The scope definition consists of

• Permitted actions
• Optional path prefix

As result we don't need to use account credentials anywhere, it doesn't pose issues with 2FA and we are not giving a tools full control over the account. Personally I would find this to be somewhat of the minimum for new SDK.

Pseudo definition of a token

{
  "alias": "My backup token",
  "scopes": [
    {
      "operations": [  "downloadData"],
      "path": "/tools/prereq"
    },
    {
      "operations": [  "createFile","createNewFile",  "createDirectory", "listDirectory", "downloadData", "deleteData",...],
      "path": "/backups/mx10-12"
    },
    {
      "operations": [ "listDirectory"],
      "path": null
    }

  ]
}

Having a separate permission for creating/uploading file and creating/uploading new file would be very helpful. The distinction should be that createNewFile fails to upload a file when another matching (path/name) file exists. Our usecase is that a tool needs access to a shared folder, but there is a strong desire to have a guarantee of other files not being overwritten.