Resumable uploads are giving me 403 errors with the PUT requests after creating the upload session.
I've used app level tokens for resumable uploads recently and they worked fine. I previously tried them months ago and they were not working and I remember something about them not being supported.
I don't find that text that states that in the documentation. Are they supported or is there another issue?
Thanks
We tracked down the issue to a new feature that was recently enabled and shut it off. The app-only scenarios should now be working as expected so please let us know if you continue to see issues.
Related
We have a mobile app and our users got a
"sign in with google temporarily disabled for this app"
When they tried to login their YouTube account with iOS (There's no problem with Android devices).
We submitted a verification request long time ago, and we got from YouTube an email (May 26th 2020),(May 26th 2020):
"Hi Adam,
Thanks for working with us on the YouTube API Services compliance review. We have completed your review and do not require any further actions from you at this time.
We may reach out again to re-review your API Client for compliance with YouTube API Services Terms and Policies.
We appreciate your time working with us on this and please continue to comply with the YouTube API Services Terms and Policies."
Since then, nothing had changed and our app hasn't been verified yet, and our users can't connect with their youtube accounts.
What can we do? We are just waiting and we don't even know how to contact YouTube and ask about our specific case/project.
Thanks you,
Adam.
sign in with google temporarily disabled for this app
Means that your application has not been verified by google. You need to go through the verification process.
You can use a project for development without verification. However there are some limitations (more information here). Basically, you have now reached the limit of 100 users accessing the application.
If you still havent heard anything from google after they say they have verified your application I think the only thing you can do is to submit it again and double check that you are using a client that was created under the project that you requested verification for there's really nothing else you can do.
I'm writing an open-source stand-alone desktop app in Java that handles photos, and I'm adding a feature to let users upload pictures to their Google Photos account, but I'm faced with an authentication/security question.
I've registered my project to use the Google Photo API and have downloaded my credentials JSON file. I've been able to use it successfully with the samples from the java-photoslibrary Github project, so all is good.
However, the credentials file contains a "client_secret" key which, if I'm not mistaken, should not be disclosed (am I correct here ?). But those credentials have to somehow be distributed with the app and, as it is open-source, will be basically public. So my question is: How can I authenticate my app's user to his/her Google Photo account without disclosing my app's secret key ?
Note: I've integrated Dropbox upload, and their procedure for desktop apps clearly explains how to authenticate without embedding the secret key in the Desktop app using OAuth's token flow. Is there an equivalent for Google Photos ?
Thanks.
Edit: made some progress (see my own answer below), but after I finally got time to implement it, I realized that after user has authorized the app and a valid code has been returned (Yay!), step 5 (Exchanging the code for a token) again requires the client_secret ! :-(
I tried the call without it but I'm receiving a "client_secret is missing" error, so that's not a typo.
After more search (with the [google-oauth] keyword instead of [oauth-2.0], which says it all), it seems "secret" does not mean it is actually "secret" in Google world. In other terms, it's OK to embed it in your apps because, well, it's secret but it cannot be used in a malicious way (hopefully)...
See answers to these related questions:
Safely distribute OAuth 2.0 client_secret in desktop applications in Python
Why does Google provide a client secret for a Native application?
Integrate oauth2 with native (iOS/Android) mobile application
One Google page even mentions that "In this context, the client secret is obviously not treated as a secret."
Come on Google, explain me how security works :-)
OK I think I found the answer.
Similar to Dropbox, Google can use OAuth 2 with PKCE, they just use the full spelling "Proof Key for Code Exchange", that's probably why I didn't find it at first :-). The details are here:
https://developers.google.com/identity/protocols/oauth2/native-app#obtainingaccesstokens
I didn't find the equivalent process in the Google APIs, but those API are megabytes of classes so I may have missed it. Basically, all it takes is just sending a few requests and listening to the response, so I think I'll implement it from scratch (and will probably also get rid of Dropbox's client libs as the process is so similar).
Hope it helps...
Edit: that doesn't address the point because after the clean PKCE procedure, the app still has to send its private key to exchange the authorization code for a token. See edit in my question
I was using Youtube Data APIto get youtube video but after getting mail from youtube which says api is disable due to inactive.
Youtube Data api not working since it was disabled by youtube because of inactive for 90 Days. I am not able to call(It is enable in API Console) it even with delete and add new delete back. Please help.
Error shows when i am calling from Web Browsers with api Key i also tried to generate new API key also delete and regenerate new api key but still no luck.
"Access Not Configured. YouTube Data API has not been used in project
264969722993 before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/youtube.googleapis.com/overview?project=264969722993
then retry. If you enabled this API recently, wait a few minutes for
the action to propagate to our systems and retry."
There are things you can do to try and solve this issue. This first option is to apply for an API exception by filling out this out this form. I've filled out this form and am waiting for a response.
The second option is to create a new project and use that project to generate an API key. Because Google has only disabled access to the Youtube Data API for your current project, the new project's API key should work just fine. I've tried this and can confirm this works. This is probably the more hassle-free option if you have extra projects to spare as Google only allows 10 projects at any point in time.
I'm in the same position, disabled for no calls in 90 days. You can request an exemption but after about 25 back and forth emails it's clear that it is just a smokescreen. After explaining what it's used for they then wanted screenshots, then videos of you using the application, how we use the videos we pull up, and then a shot of the room where it was being used. They even asked who made the video we were looking at (we have no idea!). They want your whole business model and what you do. It was just never ending questions and more stuff to send them. After about 2 1/2 months of slow back and forth, I get a message saying I am out of compliance.
Our application uses YouTube to pull up videos for manufacturers product for research and training in a small training/conference room for internal use only. That's all!
Nothing was out of compliance.
This is the email we received:
Hello ,
We have reviewed your quota extension request for project number
#### and have revoked the allocated quota for your API Client(s) as it is out of compliance on the following YouTube API Services -
Developer Policy:
Policy F. 1 (User Experience - YouTube Look and Feel) Please do not
reply to this email, you may complete and submit this form to re-apply
once the above concern has been addressed.
Thanks, YouTube API Services team
The form link in the email is just a link to start the whole process over again.
According to YouTube policy
If your API Client's quota is reduced or eliminated, you may reapply for quota or a quota extension, and YouTube will review that application based on YouTube’s determination of your expected use of the YouTube API Services.
https://developers.google.com/youtube/terms/developer-policies
I suggest reapplying.
To add to avatarhzh's answer:
If you have already used up your initial cap of max. 12 projects and your channel is a brand account and you do not want to go through the process of applying for more quota/getting back your previous quota, you can also create new projects on a different google account and then add that account to your channel as a manager. It is then possible to access your channel through this new account via the youtube data API.
If your channel is not a brand account yet, you can move your channel to a brand account. This allows you to add different google accounts as managers/co-owners of the channel. Warning: certain things (e.g. comments) cannot be transferred when moving to a brand account.
My App used to work fine and upload without any issues, but now I'll get Error 401 and the solution seems to be re-authenticating according to the documentation. The thing is, I do not know if that refers to something I can do on the Dropbox Developer Console or if it's something that I must do on my App.
Using version 2 of the API. A while back I had to switch to oauth2 authentication to continue to get keywords in my JSON responses. I did that and it worked fine for a while, but now keywords have disappeared from authenticated requests. I confirmed that it was not just my code by testing at https://developers.google.com/oauthplayground/
Anybody know what's going on?
After re-reading the blog post announcing the change I see the keywords will only be available to authenticated users and then only on individual videos. I did some testing and requested an individual video sure enough there they were.