Usecase - your site uses an embedded YouTube player. The player has full controls so a user can like/dislike a video from the player that is embedded in your site.
Problem - ensuring the account a person is logged into in YouTube and then performs like/dislike actions with is the account you expect.
Is there anyway to determine what YouTube account a user is logged into?
If not logged in at all, Google+ Javascript API's checkAuth() method can determine that.
But let's say a user is not logged in. You have Auth flow on your site that allows a user to log into their google account. They log into their account on your site. So checkAuth() comes back as signed-in. But then in a new tab, the user goes directly to YouTube and switches which account they are logged into YouTube as. Your checkAuth() method is going to show that they are signed-in as their original account.
But they will be logged into YouTube as a different account now, and now the actions of like/dislike they perform on videos embedded in a YouTube player on your site will link to their newly switched over account. And this would be very bad behavior. We want to ensure that a user is performing actions like/dislike on the account you expect them to, the right account, the one they originally signed in with your auth flow as.
I would love to know how, if there is a way, to determine what account a user is currently logged into YouTube as.
Any help or ideas would be super awesome. Thanks!
Related
In my app i am using Vimeo advanced api and retrieving the videos and other user details, every thing is good, but is there way to sign out api for Vimeo so that the user can sign out and another user can sign in. Is there any other technique to achieve that.
With the Advanced API, all authentication is stateless. The token you provide defines the user you have authenticated as.
There is no concept of "logging out" a user because technically a user is never "logged in" for more than one request.
If you wish to allow a different user to log in, simply stop sending the old access token and request one for a different user.
I am trying to achieve the following:
an authenticated user uploads a video on my web application
my web app stores the video, logs it in our database etc. then connects to a Google account and makes a request to upload the video to a Youtube channel within that google account
I've created the Google account, enabled the youtube API, configured OAuth 2.0 access etc, but I'm not sure that any of the documented workflows meet my requirements. (For example I don't want any user interaction as part of the authentication process).
It looks like a Service Account ( https://developers.google.com/accounts/docs/OAuth2ServiceAccount ) is what I need, however these accounts dont appear to support all Google APIs, or at least not youtube.
Does anyone have any advice / has anyone implemented something similar?
When you say ... "For example I don't want any user interaction as part of the authentication process", how will that work.
The user might not be logged in to Google, or might be logged in to multiple accounts so will have to choose which account to use for your app. So the potential for user interaction is unavoidable.
Once the user has authorised your app, logged on to your app (ie. accessed it and you've stored his user id in the session), then future accesses will be devoid of user interaction; at least until he logs off.
The difference between service accounts and user accounts is not the auth flow. The difference is that with a user account, the API access is by the user via your app (so the video will be "owned" by the user. With a service account, your app IS the user (so the video will be owned by you).
I'm not saying that Service Account is wrong for you, just that your reason for going that way is not quite right.
I've got a client who is a business. They are using Google Apps for Business (the paid version), and have created a Google Apps email account. Using this email account, we logged into YouTube and went to create a channel. Because they are a business, we created a BUSINESS YouTube Channel with the associated BUSINESS Google+ Page.
They also have a vendor who is using the YouTube API to upload their videos for them. However when the vendor tries to use the API, they get the error "no linked youtube account". We're thinking that this is because as a Google+ Business Page, the page is not associated with a single Google Account, but rather multiple Google Accounts can be set as "managers" of the page.
When we tried to create a "personal" YouTube Channel/Google+ Page associated with this email address, we tried to put the company name in as the First Name / Last Name and it rejected it because it says that it's a company name and not a real person's name. It also asks for gender and birthdate, and all of those things associated with a person and not a business.
My questions is.... is there a way around this issue? Can you use the YouTube API to upload with a Google+ Business Page and a YouTube Business Channel?
Thanks,
Justin
You should be able to create a Google+ Page and a corresponding YouTube account. Here's a blog post explaining the steps.
To clarify this example, I have a Google+ page (somewhat inactive) for Cloud Hulk, a joke name my old teammates gave me. When I go to the top right corner of YouTube.com, I can select "switch account"
Now when I click on it, the very first time I do it, it asks me to create a channel. If I do not do this step, the YouTube API will return a "no linked YouTube account" error. I confirm the change:
Now that I'm logged in, I should see this in the top corner of YouTube.com:
When I'm doing the OAuth 2.0 authorization flow, I'll be presented with a list of channels to authorize as:
You can test this out by going to the API reference and clicking on "Authorize Requests Using OAuth 2.0" under "Try it Now".
I'm using OmniAuth in Rails to authenticate users through YouTube OAuth.
I have several Google/YouTube accounts. Two of them log in just fine. Two of them fail with "invalid_credentials".
I'm not entirely sure what that error means; it doesn't appear in the OAuth 2 spec.
I'm successfully logged into all four of these accounts on the Google side using multiple sign-in, so it's not that I'm logging in incorrectly. Two of the accounts work, so it's not that my API key is bad.
What's going on?
I've got the answer.
They're returning invalid_credentials because there's no YouTube account associated with the user who's trying to log in.
But! I did make sure to log into YouTube with those accounts before trying to log into my app. Turns out that's not enough.
In this brave new world, Google users can log into YouTube without actually creating a YouTube account. In the YouTube UI, a YouTube account is a "channel". It is now possible to log into YouTube and not have a channel.
To create a channel, click the user menu (represented by your profile picture) in the top-right corner of the page and click "My Channel". You'll be prompted to create one.
Then you can log in with YouTube OAuth.
I'm developing a social network. Users may register and share their twitter username (if they want). Wherever the user posts a comment or other content, his username is displayed. I would like to display the follow #userTwitter button, if the user has set the twitter account.
Now, everything works, the problem is to validate that the user is the owner of that twitter account. Right now the user could be entering any valid twitter account! Maybe using the Twitter api?
You can set your app up as a Twitter client, this way your user has to log into twitter to authorize your app, thereby verifying their twitter identity.
This is a couple years old but might be enough to get you started:
http://www.1stwebdesigner.com/tutorials/twitter-app-oauth-php/