1

I'm a first time user of the YouTube API and have been following the documentation. However the doc is very unclear when it comes to non-basic functionality, and there doesn't seem to be other docs for me to check in order to answer my own query.

Let me explain:

I've implemented the basic auth/token example provided https://developers.google.com/youtube/reporting/guides/authorization/server-side-web-apps#example and it works well.

Now, assuming the access token is stored in a database rather than the session (for later use in "offline" data retrieval)...my question is:

How do I check whether the user has revoked access to my application, presumably via his/her account settings? What happens if it is revoked in this way and I try to use the (now invalid) access token offline?

UPDATE

Unfortunately it doesn't seem to be returning An error occurred: { error: invalid_grant, error_description: Token has been expired or revoked. }

The raw error being returned is

Uncaught exception 'Google_Service_Exception' with message '{ "error": { "code": 401, "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "errors": [ { "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "domain": "global", "reason": "unauthorized" } ], "status": "UNAUTHENTICATED" } }

Which can be caught, but is highly weird. I do not have invalid credentials as the error indicated...I have no authorisation!

The documentation is seriously lacking on this.

My Game Reach
  • 11
  • 1
  • 5

2 Answers2

1

If the user revokes permission to your app and then there is an attempt to use the (now invalid) access token, the message An error occurred: { error: invalid_grant, error_description: Token has been expired or revoked. } will be returned.

The correct way to proceed is check if that error is returned and if so, redirect the user to authenticate again so a new access token is generated an access is properly granted. Take for example the following logic:

try {

    //request the service

} catch (Exception $e) {        

    if($e->getMessage() == "Token has been expired or revoked"){
        //redirect user to authenticate again
    } 
}
Morfinismo
  • 4,985
  • 4
  • 19
  • 36
0

A way to check if it's revoked:

// somewhere in your code where you set the client() token
// ...
// $accessToken has the value of the previously saved token (the one we don't know yet it is revoked :( )
// set the token
$client->setAccessToken($accessToken);
// refresh the token
$accessTokenRefreshed = $client->fetchAccessTokenWithRefreshToken();
// if the token array has an 'error' element, then the token is invalid
if (isset($accessTokenRefreshed['error'])) {
   echo "Error: ".$accessTokenRefreshed['error_description'];
  // should display: "Error: Token has been expired or revoked."
}
//...
guillefd
  • 1,903
  • 1
  • 16
  • 26