I'm trying to create a smoother video scheduling system for myself to publish my videos on time. The current system uses AutoHotkey to grant access for the script by navigating the account select page. I'd like the script to be able to get access on it's own.
It is written in PHP and uses the Google client library for PHP.
The problem I've encountered is that I can only get permanent access using my main google account (which gets a refresh token), but this account doesn't have access to my youtube account, and can't see private videos.
When I select the youtube account it has access to the videos, but does not get a refresh token, just an access token which expires after 1 hour.
The script is currently using client details from the developer console to get access. I've also tried using a service account, but haven't been able to get it to work.
There the issue there is that I don't know how to impersonate the youtube account, only the main account, which don't have access to the videos.
I finally managed to figure this out. Hidden in the Google Plus settings for my youtube channel account is a "username" for the account.
things#pages.plusgoogle.com
Using this as the impersonation target for the service account allowed it access to the channel, allowing it to publish videos!
I stumbled upon this quite by accident. Nowhere did I find any documentation on how to do this. Bah google.
Related
I am creating an application which aims at automatically creating Spotify Playlists in a central Spotify account (not the account of the end users).
I have set up this account and created the developer app for the secret and the client_id.
On the backend side, I am using PHP to authorize this central user, and it is working as long as I am logged in myself with that account.
Users that visit my website should be able to create playlists via that interface through the Spotify Web API without the need to authorize their account nor being logged in at all.
If I'm trying to open the same page on a separate device (without having any account logged in), it just gives me the following error:
User not registered in the Developer Dashboard
Is it somehow possible to perform this authorization process only on the backend side without the need for the user to authorize it?
Eventually, I want to send the playlist URL created in the central Spotify Account to the user who can open it in their own app or share with others, if they want to.
I try to avoid that multiple users must authorize for my app, since I don't need to access personal information from their account, anyways.
I used the 3-step process for authorization as described in this Stackoverflow Post: Spotify oauth2 with PHP curl. How to get authorization code?
If necessary, I will provide more information.
Do you have any idea, how I can implement this authorization process for the single account on the backend side, without the user even showing any authorization process of the Spotify Web API at all?
EDIT1: I am not trying to login on the behalf of my users, just automatically for my own account without the interactive login with Spotify. Is that even possible?
I received valuable feedback from the Spotify Developer Community that helped me finding a solution to the problem.
When you let the central Spotify account login to your app, you'll [get] an access_token (that will expire in 1 hour) and a refresh_token.
When the access_token of that account expires, let your server send a POST request to the Accounts service /api/token endpoint, but use the refresh_token in place of the access_token.
A new access_token will be returned.
A new refresh_token might be returned too. (I don't think that's even needed)
You can read more about it here.
I'm trying to build a dashboard using Google Analytics Reporting API, in order to create reports for my company's clients.
The problem is that I need to create reports using a cronjob, but this requires an authentication. I tried the following approaches :
1. Using the API for web applications :
I managed to make this work, but the OAuth2 process forces me to authenticate into Google by redirecting me to the Google login page. Once logged in, the token is created and my report is generated. But I couldn't find a way to authenticate automatically without a user intervention (i.e. filling the Google login form)
2. Using the API for service accounts :
With this solution, I am able to create reports without manually logging into Google, which is awesome. But this method requires me to add the service account to the Google Analytics account, by adding the newly created user XXXXXXXX#PROJECT-ID.iam.gserviceaccount.com to each of the Google Analytics view I wish to access. I can't do that, as some of the views I'm trying to access are managed by my company's clients and I can't ask each of them to add yet another Analytics user.
I need to be able to access the Analytics views using the user e-mail already configured. I tried to add this address as the owner of my service account in the Service Accounts Manager, but no luck (see screenshots hereafter).
Is there any way I can either use the API for web applications with a static token (i.e. without having to manually log into Google), or use the API for service accounts without having to add the Google-created user in each of my Analytics views ?
I'm at a loss here, so any advice will help.
Due to the fact that you don't have control of all of the accounts as you said you wont be able to use a service account.
There for you will have to use Oauth2. Someone will have to authenticate your application the first time. Once access has been granted the first time you will be given an access token to access the API and a refresh token. If you store this refresh token you will then be able to request a new access token from your cron job when ever you like in order to run your reports.
The trick is saving the refresh token associated with each users account. Your clients will have to authenticate the application to grant you access. You store the refresh token. The refresh token shouldn't expire (there are a few reasons why one might) you will be able to gain access when ever needed.
Note: You can also place the service account email at the account level will give you access to everything. But this wont help you with clients you don't have access to.
Update:
Refresh tokens will not expire except under:
A refresh token not used for 6 months will also expire.
users can go to App settings on there google account and revoke your access at anytime.
A user can re-authenticate your application (same client id) 26 times giving you 26 different refresh tokens, after number 26 the first refresh token will expire. You can only have 26 working refresh tokens for a single user. Make sure you always save the newest refresh token.
As far as I know, the intended method for cron jobs is to use API for service accounts, just as you have described. However, it seems to be an expected and appropriate behavior, that you cannot access a random view just by providing its ID with your service account, without prior authorization from the owner of the view. Without this settings, Analytics will not know about your relationship to your client, and therefore refuse access to data.
I'm not sure, if it is supported, but you could try to add your service account on property or Analytics account level, so that all connected views inherit this setting.
I have a system I use to publish my videos according to a schedule, as well as manage the video data (tags, descriptions etc).
This system uses the PHP client library to access my YouTube account via a service account. My YouTube account is an old account (pre google buying youtube) and is hung onto the side of my main google account, thus accessing it requires impersonating it, since my main account has no videos.
I managed to work out how to do this (See: Granting permanent access for youtube account through Youtube API) after a lot of reading and testing and stumbling around.
Now, this has stopped working. Attempting to authenticate with the impersonate address included yields an unauthorized_client error. Not including it works, but like I said, doesn't return any videos.
I've read things suggesting I now need to give access to this account.
In console.developers.google.com/permissions/serviceaccounts I've added it to the permissions as an owner and Service Account Actor, but this has done nothing. I have also enabled Google Apps Domain Wide Delegation for no result.
Other documentation suggests I need to enter the Admin Console at admin.google.com to authorize the account, but I cannot access this page since it apparently requires a Google For Work account which I don't have and don't know how to get.
I'm at a loss for what I need to do to grant my account access to my own account.
Here is a paste of my auth code (with sensitive data removed of course): http://pastebin.com/RCdY8mX6
Scenario:
Someone comes to my website and they see a file select field. They select the file and upload the file to MY Google Drive account.
Problem:
In looking at the Google Drive SDK docs I see that it uses OAuth for authentication, but I don't need to authenticate the user because they are uploading to MY Google Drive account. I'm aware that I need to register my application with Google, etc. but I'd like to know if I can upload without authorizing the user with OAuth the typical way (sending offsite or modal window to validate w/ redirect URL).
Is this possible to do? I'm using PHP.
You have two options:-
Use a Service Account. The files will be uploaded to the account of the Service Account
Use a regular Google account. For this option, you (as the account owner) will need to do a one-off auth to get a refresh token, which you will store. You can then use this any time to generate the access token needed to invoke the actual Drive API. You can generate the refresh token using the Oauth Playground, so no need to write any code.
See How do I authorise an app (web or installed) without user intervention? (canonical ?)
I'm writing an iPhone app which works against my own server.
Basically, it's a forum where users can post. I don't want users to sign-in for an account on my server but I rather prefer them to login using any existing account they have: Facebook, Linkedin, Foursquare, etc.
So from the app itself, I want them to be able to login using their existing account which will then allow them to post on the forum.
My question is that: when a user is posting a message, how can I verify whether or not he is logged in with any service? I need to validate it both on the client and server side. I plan on writing the server side using PHP.
Thanks
See this question for a similar discussion (just limited to Facebook sign on). Here's a high-level overview of what should happen (taken from that discussion I linked to):
User opens the app on the phone. Chooses a service with which to authenticate.
Authenticates via one the available services (Facebook, Twitter, foursquare, etc.) and gets some special access token.
Your app takes the token and sends it to your server.
Your server receives the token and validates it. It checks it against the service's API and (at least for Facebook and Twitter) get the corresponding user ID.
Assuming a valid ID, your server checks if user ID has already been used by some user. If so, it logs them in. If the user ID hasn't been created, your server creates its own user record associated with that user ID and logs the user in. In either case, the user ends up logged in and your server issues a session key to your app.
The session key is used for all further communication between your app and your server until the user logs out.
On the phone, you're going to want some OAuth library to allow users to authenticate with another service. You'll probably want to use the Facebook iOS SDK to allow them to use Facebook and use one of the suggested OAuth libraries here for your other authentication services. I have only used the Facebook SDK, so I can't speak as to the general OAuth libraries.
Once logged in, the phone should not store the access token, only the session key.
Assuming that users can use more than one service to access their account, you will also want some way of connecting two services to the same user (probably by email address).
It's up to you to decide how your app and your server communicate. I'd go for a JSON+REST API for communications with the server.
Another option to get your users to login using multiple services is Socialize (www.getsocialize.com). It's an open source SDK that manages your users and authentication so you don't have to implement all the steps that cbrauchli has outlined above.
I was exploring if better/easy to use/implement options exist in 2020 using third party libraries to allow login with social accounts. And found two options:
AuthorizeMe - https://github.com/rubygarage/authorize-me & https://rubygarage.org/blog/authorizeme-ios-libary
Auth0 - https://auth0.com/learn/social-login/ & https://auth0.com/blog/using-centralized-login-to-add-authentication-to-your-ios-apps/
AuthorizeMe supports:
Facebook
Twitter
Google
Instagram
LinkedIn
plus custom providers
Auth0 supports:
Facebook
Twitter
Google
Microsoft (Windows Live)
Yahoo
Instagram
Amazon
LinkedIn
Github
PayPal
vKontakte
Yandex
Box
Baidu
Ren Ren (Xiaonei)
Weibo
Shopify
Wordpress
Yammer
SoundCloud
and custom providers as well
Disclaimer: I am not affiliated with Auth0 or AuthorizeMe.