Previously I had a working php script that uses the Zend_Gdata_ClientLogin Object to authenticate and make requests on my behalf to delete videos from my YouTube channel. Apparently, this has been deprecated because I get an error and read this: zend gdata and google spreadsheet not connecting
And I get an error which says no longer available. So I've been researching how to use YouTube API v3. Initially I created a service account via the Google developer console.
However I found this
YouTube API v3 with OAuth2: update and delete fail with "Insufficient Permission" error
Which states:
For the uninitiated, the YouTube Data API (v3) does not support
"service accounts,"
And I need to manually obtain a refresh token, to make requests?
Is this still the case? Surely, there must be an easier way to make authenticated requests to the YouTube API where the only client is my server?
If this is still true, how long will the refresh token work? Is this the best practice?
You can check out the documentation to see the most up to date way to request the access token. When the access token expires, your application can refresh it by sending a POST request to Google's authorization server using the refresh token. You only need to get this refresh token once in order to refresh your access token, not every time you want to make authenticated requests, if that's what you were thinking.
The refresh token should be valid unless:
The user has revoked access.
The token has not been used for six months.
The user account has exceeded a certain number of token requests.
There is currently a 25-token limit per Google user account, so if your application requests too many refresh tokens, it may run into this limit and older refresh tokens will stop working.
I can't speak as to whether this is the best way of doing it, but I assume the developers chose this way for a reason.
Related
I am creating an application which aims at automatically creating Spotify Playlists in a central Spotify account (not the account of the end users).
I have set up this account and created the developer app for the secret and the client_id.
On the backend side, I am using PHP to authorize this central user, and it is working as long as I am logged in myself with that account.
Users that visit my website should be able to create playlists via that interface through the Spotify Web API without the need to authorize their account nor being logged in at all.
If I'm trying to open the same page on a separate device (without having any account logged in), it just gives me the following error:
User not registered in the Developer Dashboard
Is it somehow possible to perform this authorization process only on the backend side without the need for the user to authorize it?
Eventually, I want to send the playlist URL created in the central Spotify Account to the user who can open it in their own app or share with others, if they want to.
I try to avoid that multiple users must authorize for my app, since I don't need to access personal information from their account, anyways.
I used the 3-step process for authorization as described in this Stackoverflow Post: Spotify oauth2 with PHP curl. How to get authorization code?
If necessary, I will provide more information.
Do you have any idea, how I can implement this authorization process for the single account on the backend side, without the user even showing any authorization process of the Spotify Web API at all?
EDIT1: I am not trying to login on the behalf of my users, just automatically for my own account without the interactive login with Spotify. Is that even possible?
I received valuable feedback from the Spotify Developer Community that helped me finding a solution to the problem.
When you let the central Spotify account login to your app, you'll [get] an access_token (that will expire in 1 hour) and a refresh_token.
When the access_token of that account expires, let your server send a POST request to the Accounts service /api/token endpoint, but use the refresh_token in place of the access_token.
A new access_token will be returned.
A new refresh_token might be returned too. (I don't think that's even needed)
You can read more about it here.
The scenario
So I am building an app that should display data from my Xero account to the users. Users should not be able to login via OAuth2 to my web app so that's why I need persistent auth token that is independent from the users login. The current API authentication implementation from Xero does not allow that and the token expires in 30 minutes so I need a way to do this somehow in the background or with any kind of persistent token (which is not available as I can see in their docs for Auth)
Stack
I am using Laravel with the package Xero Laravel and this one's using the XeroPHP package in its core as dependency. Currently I am using Postman to do refresh token requests and I am adding the token manually (for testing purposes of course). This should not be the case when it goes on production, though. So I need a way to somehow "store" or refresh the token globally for the whole app and using only my account as an Authorization to Xero.
Problem summary
My web app need to fetch data (invoices data in particular) from my Xero account and no OAuth tokenization is required for the users (since I am using the native Laravel Auth for this purpos) that are going to read this data in a GUI.
How should I accomplish this without OAuth2 (if there is any way) or how I can do this if only my account is the "global" one for the app?
The other comments are correct that there is an initial required step to have the user that you are calling API endpoints on behalf of to authorize your API application.
Once you have their valid token_set ( access_token, refresh_token, expiry, etc.. ) you can store that securely and continue making offline_access api calls on their behalf. Note that you must programmatically refresh the token_set at least once every 60 days for it to remain valid.
I'd also recommend checking out the Xero supported libraries for help getting started quickly:
https://github.com/XeroAPI/xero-php-oauth2
https://github.com/XeroAPI/xero-php-oauth2-starter
Thanks to #droopsnoot for linking the video explaining how this works:
https://www.youtube.com/watch?v=Zcf_64yreVI
I need to use Quickbooks online API to synchronize data between my system and my client's accounts on quickbooks.
I need to know if is it possible to complete the oauth2 authorization flow and make API calls without human interaction (without the need to interact with Intuit's authentication and authorization windows)?
I read the Intuit's docs on: https://developer.intuit.com/docs/0100_quickbooks_online/0100_essentials/000500_authentication_and_authorization/connect_from_within_your_app
On the first step, I made a GET request to:
https://appcenter.intuit.com/connect/oauth2?client_id=MY_ID&scope=com.intuit.quickbooks.accounting&redirect_uri=https%3A%2F%2FMY_NGROK_URL.ngrok.io%2FOAuth2PHPExample.php&response_type=code&state=RandomState#/Authorize/COMPANY_ID
Then, the Intuit's authentication and authorization windows opens and I need to put my username and password and then, click in the authorize button to get the authorization code.
Is there a way to obtain the authorization code without authenticate and authorize?
I need to automate this task to make API calls in the backend with PHP.
Thanks,
Marcelo.
Is there a way to obtain the authorization code without authenticate and authorize?
No... but read below.
I need to automate this task to make API calls in the backend with PHP.
You are misunderstanding how OAuth (either 1 or 2) works.
The very first time you connect you will be prompted to authenticate/authorize access to the QuickBooks Online data.
You are then given a refresh token (or access token depending on if you're using OAuth2 vs. OAuth1).
You then store that refresh token (or access token for OAuth1) and can use that token going forward to make your requests, unattended, without requiring the user to be involved at all.
Key take-away: You only need the user involved the VERY FIRST TIME you connect, and then never again.
I created a web application which will show all private videos of only one account.
Now I have to authenticate the account to get list videos. I saw 2 ways to authenticate by ClientLogin and Oauth. Which ClientLogin is deprecated and don't know how to use Oauth to authenticate the default account on server.
I have client_id and client_secret for my app.
I try this example but not working and i don't know what in $get['code'] and how can I put username and password of this account when using OAuth not ClientLogin.
It's pretty simple.
You can follow the steps at How do I authorise an app (web or installed) without user intervention? (canonical ?) to get a Refresh Token. At Step 8, choose the YouTube API instead of Drive API. Try to choose the most restrictive scope, eg. readonly. You can embed the Refresh Token (securely!!!!) in your app and then use it at any time to generate an Access Token. Thus the stored Refresh Token behaves like a username/password with restricted permissions.
Ask you have stated clientLogin is shut down you can not access any Google api using Login and Password. Your application needs to be authenticated
The thing you need to know about the YouTube API is that it does not support service accounts. You will have to use Oauth2. I am not a PHP developer but I have done this previously in C#. What you want to do is possible just a little tricky.
First off as I said you need to use Oauth2. I am hoping that this example is reasonably up to date if not the one for Google analytics is you may have to compare them a little.
Your script will need to be authenticated once using Oauth2. Then by requesting
$client->setAccessType("offline");
you will receive a refresh token. You will then be able to use this refresh token in your script on the server at anytime to request a new access token and access YouTube for that channel.
I'm using OAuth 2.0 Google API for google calendar service authentication. Each time when a users logs in the application, it prompts for Allow access even if the user has already allowed access on previous visits to the application.
How can I code it so that it remember the application and user for allowed access by users in past and so do not prompt for "Allow access" again for that same application.
I assume you are using Google PHP API. Setting client object to use auto for approval promt does the trick for me.
$client = new apiClient();
$client->setApprovalPrompt('auto');
When making the OAuth request make sure your "access_type" request:
"access_type" : "offline"
This means the user gives you offline access, and you can continue to make requests with their account.
Using offline also means you'll receive a "refresh_token". Once your access has expired, your application can automatically trade in the "refresh_token" for continued access, without the client having to "allow" again.
$client->revokeToken($accessToken);
If you are using this line somewhere then removing it might help.
Basically what I've figured out is that if the access token is revoked prior to it's expiration, google takes it as an act to reset the permissions as well.
I might be wrong, but I've have not come across a better conclusion yet.