I'm am fetching playlist's details using Youtube API V3 using API key.
I can't find any information about API KEY validity period. I want to make sure I regenerate a new API key for my application before it expires.
The public API key found at the bottom of the Google Developers console APIs & auths -> credentials screen does not expire. This is a key used for accessing public APIs like Playlists.list, it will remain valid for as long as you do not delete the key or delete the project associated with the key. Its main purpose is for Google to keep track of who is using there APIs and to limit the number of requests you may make to prevent spamming the servers. (Quota)
Access tokens are used for Open Authentication access and do expire. Open Authentication (oauth2) is used for accessing non public data, data owned by a user. They are created pragmatically by requesting them from the authentication server using a refresh token and a client id /client secrete. I don't think this is what you are asking about, but I thought I would add it for reference.
Related
I have already used google sheets API before, but it seems now they have new policy, so I can't add the required scope that allows you to write data (in my case - metadata) to a spreadsheet (https://www.googleapis.com/auth/spreadsheets) without verification. (I get 403: "Request had insufficient authentication scopes.")
Is there any way to write data to a spreadsheet, even just for developing (maybe write only to a sheet that I have created as the owner of the project) without verification, or maybe I'm doing something wrong?
According to the Google Sheets API documentation:
When your application requests private data, the request must be authorized by an authenticated user who has access to that data.
Every request your application sends to the Google Sheets API needs to identify your application to Google. There are two ways to identify your application: using an OAuth 2.0 token (which also authorizes the request) and/or using the application's API key.
Therefore, the scope you are using, the https://www.googleapis.com/auth/spreadsheets is the one which allows reading and/or writing acces to the user's sheets and their properties and it requires authorization.
So what you can do to solve your issue, is to use a service account.
You should create one for your project in the API console and then your application will make authorized requests by using the account's credentials to request the access token from the OAuth 2.0 server. Hence, the authentication procedure won't be necessary every time since the application will be calling the API on behalf of the service account.
Furthermore, I suggest you take a look at these links, since they might be of help:
Authorize Request with Google Sheets API v4;
Using OAuth 2.0 for Server to Server Applications;
Using OAuth 2.0 to Acces Google's APIs.
After reading the documents of Google API. I know that if a project we create needs to access private data, we should use oauth. But here is my situation. we will open a business account in Youtube, and we will create a project to push videos to our own account, we don't need to operate other user's' account. Can we use google youtube data api without OAuth?
There are two ways to access private user data with Google APIs.
Strait Oauth2. where you have a consent for asking the owner of the account if you can access it
Service accounts which are technically pre authorized by the developer.
Normally I would say because you are only accessing the one account that you own, use a service account. Unfortunately the YouTube API does not support service account authentication.
Due to the lack of service account support you will have to use Oauth2. I have done this in the past.
Authentication your script once, using a server sided language of some kind. The Authentication server will return to you a Refresh token. Refresh tokens can be used at any time to get a new access token. Access tokens are used to access Google APIs and are only valid for an hour. Save this refresh token someplace. You will then be able to allow access the YouTube account in question when ever you like.
Note: You will have to watch it. Refresh tokens can on rare occasion become invalid. I recommend having a script ready that will allow you to re authenticate the application again storing a new refresh token. Its rare that it happens but it can happen best to be pre-paired.
Oauth Play ground
Part of the point of Oauth is that it identifies your application to Google though the creation of your project on Google developer console. Things like quota and access to which APIs is controlled though that. If you spam the API they will know and shut you down. (never seen this happen)
When you request access of a user it pops up with the name of the project on google developer console. This is identified by the client id and client secrete for that project on google developer console. When I use oauth playground I get asked 'Google OAuth 2.0 Playground would like to ..'
So by using playground you are using Googles client id and client secrete to create a refresh token for yourself. If N other devs are also doing this the quota for YouTube may be used up in the course of a day. Also security wise you are now giving that project access to your data. Ignore that for a second what if google suddenly decides to remove change the client id or generate a new one. Your refresh token will no longer work. What if random dev X is using it as well and he starts spamming everything and the client id gets shut down (Think this happened last year) your going to have to wait for google to upload a new client id for the one that has now been banned.
Google OAuth 2.0 Playground might seam nice but its not for daily use IMO its good for testing nothing more. Create your own project and get your own access its not hard just requires a programing language that can handle a http Post.
My tutorial Google 3 legged oauth2 flow
Does Instagram API policy allows to use
https://instagram.com/{user-id}/media/
endpoint to fetch latests media from iOS app. We tried to use documented
api.instagram.com/v1/users/{user-id}/media/recent
but it requires access token. By investigating Instagram web app I discovered that it is using endpoint from first link for fetching user's data.
The Instagram web app is not using the link you provided, it is using:
GET https://instagram.com/{username}/
And in the response inside a script tag it sets Window._sharedData with all the data including the user's media:
window._sharedData.entry_data.UserProfile[0].userMedia
I am not sure about the policies, but you may fetch and extract this data without calling the API.
But, using the API would be easier and the preferred way. As you are going to fetch some public media, you can use a fixed client_id instead of an access_token to avoid authentication:
Some API only require the use of a client_id. A client_id simply
associates your server, script, or program with a specific
application. However, other requests require authentication -
specifically requests made on behalf of a user. Authenticated requests
require an access_token. These tokens are unique to a user and should
be stored securely. Access tokens may expire at any time in the
future.
The API call:
api.instagram.com/v1/users/{user-id}/media/recent/?client_id={client_id}
Instagram username is not a user-id. you can find user-id by link : http://jelled.com/instagram/lookup-user-id
I want to provide a service using the facebook api to third parties. Is it possible for us to share access tokens? If the third party gives my service a user's access token, can I access that users data even if my app_id & secret do not match the app that requested it?
Should I have the users go through a separate oauth flow on my site even if they have already completed it for the other third party?
Thanks.
-ken
Even that user access token is issued only for one app it can be easily used from any other application.
Example:
Get access token for "Graph API Explorer" application here https://developers.facebook.com/tools/explorer/?method=GET&path=me and make a request - you will see your data.
Copy access token and open other machine|browser and go to https://graph.facebook.com/me?access_token=[access_token] - you still able to retrieve information about your Facebook user!
Here https://developers.facebook.com/docs/concepts/login/access-tokens-and-types/ it mentioned that
Our Data Policies explicitly prohibit any sharing of an Access Token for your app with any other app. However, we do allow developers to share Tokens between a native implementation and a server implementation of the same App (ie. using the same App ID) as long as the transfer takes place using HTTPS.
Regarding:
Is it possible for us to share access tokens?
and,
can I access that users data even if my app_id & secret do not match the app that requested it?
The answer is No. From the specs OAuth2 section 10.3:
Access token credentials (as well as any confidential access token attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued.
Should I have the users go through a separate oauth flow on my site even if they have already completed it for the other third party?
The answer is Yes. If you're using facebook as authorization server, and you restart the oauth flow again, your user will only need to approve your other app (third party).
Each access token is issued only for one app - it cannot be used with different application IDs.
I have a webapp which does a lot of ajax requests with the php server and database server. I have also created an iPhone app and an Android app, which have been working as offline apps till now.
Now I want to create an API which will be used to sync data between web server and smartphone apps. Should I be using OAuth for this? What I have read about OAuth - it seems like it is used if I want to open my API to be used by third party apps. But here I just want to ensure secure transfer of data between API and my own apps.
Can somebody shed some light on this?
The main usage of OAuth is to make third-party apps authorized to access private resources of a user on a website without giving user credentials to the third-party app. For example, suppose that Twitter wants to get the list of contacts from your Yahoo account. The traditional way is to give your username and password to Twitter. But with OAuth, you give them a temporary token (called Access Token) which authorizes Twitter to access your contacts on Yahoo for a limited amount of time (until either this token expires or you, as the owner of private resource, explicitly revoke it).
That said, OAuth is not about securely transmitting data on the web. That's another story which is usually achieved using SSL. Even when you use OAuth, you have to use SSL alongside to make sure data is sent and received securely.
So in your case, you have to see what the API is used for. If it's public API which doesn't give any private data to the callers, there is no need to use OAuth. If the API is for accessing private resources of individual users however, You may consider using OAuth. If you opt to implement OAuth, you may allow other third-party apps to access your API in future without any concern.
Well a lot depends on how you are securing your API. Is your API open to public specially the post urls? If your data is not something which every user should see, then how are you checking the authentication of the user credentials?
Most the important thing is that we should avoid sharing the username and password over the wire to check for authentication all the time. This means, your API should not require username and password to validate if the user is valid. Which you can do by sending the username and password from mobile or device id or some other thing.
In such situation, the OAuth server comes to the rescue. Basically, on one URL a user will send his username and password to get his access token. Once that is acquired, we can use the access token to validate each request and take necessary actions.
You can refer the videos where I have implemented OAuth server in Laravel 5 using bshaffer which is one of the best OAuth library for any PHP framework to user. https://www.youtube.com/watch?v=0vGXbWdtjls