4

In the select scope screen for YouTube Data API v3 you can select the following scope:

Scope risk API Scope User-facing description?
(non-sensitive) YouTube Data API v3 .../auth/youtube.download Download your public YouTube videos

To me, it sounds a lot like the API would allow users to download some videos. Since it's a non-sensitive scope, it doesn't even need verification. But as far as I can tell, the API neither supports nor allows downloading videos, not even your own. Then what is this scope for? Can I use it, and if so, how?

August Janse
  • 290
  • 1
  • 6
  • 18
  • Interesting, I would have thought this would have been for authenticated users and allows for downloading the user's videos, the same way its done in YouTube Studio - are you sure it doesn't require any sort of user auth? – Skully Mar 02 '21 at 00:21
  • @Skully No, the scope is for OAuth, so a user would need to identify himself. I agree that it sounds a lot like downloading your own videos in the UI. – August Janse Mar 02 '21 at 08:12
  • You can check for yourself by creating a new Google API Console project, enabling the API for the project and creating a new app by clicking the 'OAuth consent screen' menu option. – August Janse Mar 02 '21 at 08:15

3 Answers3

2

I have confirmed that the scope does indeed show up in the Google sign-in that's shown to users.

Google OAuth form with the 'Download your public YouTube videos' scope

However, it does not grant access to resources that are available to the .../auth/youtube.readonly scope, which seems to be the scope with the lowest permissions otherwise.

I have also found that the scope is not in the official API reference, or in this list of scopes. As I have not been able to find any more information about the scope, we must assume in the absence of evidence that it cannot be used (by ordinary users) to access YouTube resources, downloading your own public YouTube videos or otherwise.

I can see this answer being improved by any of the following:

  1. A proof that it is in fact possible to access resources with the scope
  2. An official statement concurring with the answer
  3. A proof that shows systematically that none of the API endpoints accept the scope

EDIT: Before any points are confirmed officially by Google, it is important to note, that as per Developer Policies (as @stvar pointed in the comment)

Undocumented Services

You must not use undocumented APIs without express permission. You must access data from YouTube API services only according to the means stipulated in the authorized documentation of that YouTube API service.

You must not reverse engineer undocumented YouTube API services or otherwise attempt to derive the underlying source code of these API services.

dav
  • 8,931
  • 15
  • 76
  • 140
August Janse
  • 290
  • 1
  • 6
  • 18
  • The scope `https://www.googleapis.com/auth/youtube.download` is not to be found in any *official* documents specifying *official* API endpoints usage (pun intended!). Therefore *officially* there's not API endpoint should accept it. Therefore a proof as of pt. 3 is superfluous. – stvar Mar 05 '21 at 13:09
  • 1
    If, by chance, one finds some endpoint accepting this scope, then *officially* this is either a bug of the implementation, a bug of the documentation or an *undocumented API usage*. The latter alternative is forbidden to be employed by [DTOS](https://developers.google.com/youtube/terms/developer-policies), section III.D.7, *Undocumented Services*. Therefore, the pt. 1 is also invalidated. – stvar Mar 05 '21 at 13:09
  • Pt. 2 is invalid too: SO is not (cannot be) a place one should expect *official answers* to question pertaining Google's API. This latter company has its [own issue tracker site](http://issuetracker.google.com/) that is managed by own staff; thus answers (if provided) are as official as a *software developer* could expect. – stvar Mar 05 '21 at 13:13
  • I also think that your consequent (quote) *we **must assume** [...] that it cannot be used to access YouTube resources* to be a *non sequitur*: Google, by way of mistake, let this scope be seen by ordinary users, while (I'm only guessing here) the scope may well be valid under *undocumented APIs* that the company allows to be used (under *special documentation*) by *special clients* under *special conditions*. – stvar Mar 05 '21 at 13:19
  • @stvar I think it's an excellent point that the scope is confirmably *not* in [the API reference](https://developers.google.com/youtube/v3/docs). It didn't strike me but seems obvious in hindsight. I agree that that would make it some kind of bug. – August Janse Mar 05 '21 at 14:59
  • @stvar I agree that there's no real use trying the endpoints, but then again, if someone did, that would instill a great deal of confidence in that answer. The question as stated asks what the scope is and how it can be used. If it were shown to have a use, that would obviously answer the question, regardless of terms or bug status – August Janse Mar 05 '21 at 15:00
  • @stvar As for point 2, [the API docs](https://developers.google.com/youtube/v3/support) explicitly say that Google engineers *do* monitor and answer questions using these tags. But even if they didn't, that's not the only way to get an official answer. I didn't post an issue, but someone else might. If I got an official answer explaining how the scope came to be, that would certainly answer the *what* part of the question. – August Janse Mar 05 '21 at 15:04
  • For what concerns the claim the docs make about Google engineers monitoring [tag:youtube-api] and [tag:youtube-data-api]: that was true well in the past; but in my experience with these tags (say the last 3 years of continuous monitoring) and according to the experience of others (having much broader experience than I have), no, there's no SO user that acknowledges publicly to answer SO questions in Google's name (as an employee or only as an affiliate of that company). Moreover, SO is not a subsidiary of Google. – stvar Mar 05 '21 at 15:19
  • @stvar I have edited my answer to clarify what I meant, and I hope you would agree that this is a reasonable assumption. I bolded it because the other answer reads to me like the scope would allow a user like myself to download my public videos. – August Janse Mar 05 '21 at 15:19
  • 1
    AugustJanse @stvar thanks for the answer and the comments, I just edited the answer to include the important point about undocumented polices, and awarded the bounty, to me seems good enough ATM, until will contact google and get any official confirmation. Thanks guys – dav Mar 05 '21 at 16:22
1

I created an issue in the official tracker, reporting that the scope appeared but was undocumented. The response stated, however:

This is working as intended. It is not available for public use and therefore will not be documented.

In other words, the scope is intended to appear in the selection screen but cannot be used by ordinary users.

August Janse
  • 290
  • 1
  • 6
  • 18
0

Considering that the scope youtube.download does require OAuth, it is used for downloading videos of the authenticated user, though according to the description of the scope in the YouTube Data API, this seems to only be possible for public videos.

Image

So the clarification here is that whilst you cannot download any YouTube video, it does seem to be possible to just fetch the ones of the current OAuth user.

Skully
  • 2,882
  • 3
  • 20
  • 31
  • Thanks for your answer, but I don't really feel like it adds anything. I have edited the question to clarify my intents. – August Janse Mar 03 '21 at 07:39