5

I am a little confused regarding developer console functioning.

I have a project in which I access youtube data apiv3. I have created my project and got 4 keys:

  1. Browser Key
  2. Server Key
  3. Web Client OAuth2.0 Client ID Secret Key
  4. Android Key

Out of this, first three are autogenerated by google service. I generated android key by giving SHA-1 fingerprint of project.I have following questions which I don't seem to get answered:

  1. Why do I get first three auto-generated? I don't work on backends so just out of curiousity what if client uses server key instead of browser key? Any difference?

  2. I guess SHA-1 is used to work like public key cryptography. Does it depend only on package and development environment? I have not used keytool for this but done directly with SigningReports functionality in Studio. What exactly are the parameters on which fingerprint depends? I created new SHA-1 by deleting debug keystore. Android studio automatically regenerates debug keystore. Also how exactly does this cryptography work?

  3. My iOS colleague is able to get access and refresh tokens without secret key. AFAIK For OAuth2.0 we need to get auth token, use it with client id,secret key and API key to get access and refresh token.How do they do it? Also what role does secret key play here?

  4. Most importantly: I have different API KEYS in my project. One in google-services.json is different and in

youTubePlayerFragment.initialize(API_KEY, new YouTubePlayer.OnInitializedListener()

is different!! Still it works. How??

Rushi M Thakker
  • 679
  • 2
  • 15
  • 34
  • 1
    DownVoters please provide explanation? I think this is a perfectly valid question from a noob like me. I surely don't expect to get all details from single person because it is from various fields. But you can atleast contribute what you know so that it will be helpful for future visitors. – Rushi M Thakker Jul 06 '17 at 12:09

3 Answers3

1

Answer 1:

The difference between Server keys and Browser keys from developer console

Server keys:

Create and use a server key if your application runs on a server. Do not use this key outside of your server code. For example, do not embed it in a web page. To prevent quota theft, restrict your key so that requests are only allowed from your servers' source IP addresses.

Browser keys:

Create and use a browser key if your application runs on a client, such as a web browser. To prevent your key from being used on unauthorized sites, only allow referrals from domains you administer.

Answer 2:

It will work with keytool and SigningReports functionality too.

Answer 4:

You can use multiple api keys and its possible when you have enabled api key in google developer console and then use the api keys in your project at projectroot/yourapp/src/debug/AndroidManifest.xml ex:

<!-- Goolge Maps API Key -->
<meta-data
    android:name="com.google.android.maps.v2.API_KEY"
    android:value="******************" />    

<!-- Google Places API Key -->
<meta-data
    android:name="com.google.android.geo.API_KEY"
    android:value="******************" />
  • I still didn't understood the answer to first question but as it is of less priority, I am not discussing about it. I have edited my question because I think there was misunderstanding regarding second question. As for your answer to 4th question, I thought google-services.json contained keys for all apis corresponding to that project. Why does it have then only one key? – Rushi M Thakker Jul 12 '17 at 13:22
1

Your request to Youtube happens via Google Play Service. You embed OAuth2.0 OAuth2.0 token into your request. OAuth2.0 token further carries your particular type of Android key. Different Android keys are Server, Browser, Android, IOS etc.

OAuth is associated with your user authentication. OAuth further carrying and Android Key gives Google Play Service -- Google Play Service reads information in Google Developer Console -- to decide which particular type of device (eg, iso, browser, Android) is asking the Youtube server.

If you are in an Android device, you don't need Browser and Server keys.

https://developers.google.com/youtube/android/player/register

Uddhav P. Gautam
  • 7,362
  • 3
  • 47
  • 64
1

Correct me If I'm wrong.

  1. Browser key: Lets say you have a website and from there you want to consume the youtube API

    Server Key: Lets say you build your own backend api for your app and it need to consume Youtube API

    Android Key: Let say you also have a Android app and it need to consume Youtube API

    You can track each consumer of API separately with different keys. You can interchange(not sure) but that will just mess the tracking.

  2. SHA depends on keystore(debug/signed) and every system has a unique debug keystore. You can create your own signed keystore.

  3. What is the Access Token vs. Access Token Secret and Consumer Key vs. Consumer Secret I think applies to any oAuth

  4. Well Youtube API, Google Map API or any other API are independent services. We need to track them separately so we have different API_KEY per service per consumer(explained in 1).

Note: By tracking I mean like API quota, hits per second, etc

mthakuri
  • 1,085
  • 8
  • 13
  • I understand that SHA-1 is unique and depends on keystore, but to be precise my question is how is it different on different machines. With what things is keystore generated and how is it used to generate api key and whole auth mechanism. I have heard of keytool(part of jre). Also I have heard about other tools like OpenSSL and others but have no clear idea. Please look at my comments on @shweta porwals answer regarding 4. And yes, I later read about 3. Thanks – Rushi M Thakker Jul 19 '17 at 04:50