1

I currently still use GAPI for a project that accesses the YouTube Data API with endpoints that require authorization.

Very briefly, this is the current implementation:

  1. User clicks "Log in with Google" in the frontend
  2. User can select his YouTube channel (this can either be the main account or any other account where the user is owner, e.g. brand accounts)
  3. Google returns the code, code is sent to backend, backend exchanges the code for a refresh token and the refresh token is stored for that specific YouTube account.

From then on, authorized requests can be made for that account. Now GAPI is being deprecated in place of Google Identity it separates authentication from authorization.

My problem is: I can only select the main Google Account during both authentication and authorization. I cannot see brand accounts or others channels I am the owner of. However I need to be able to select any of the YouTube accounts.

With GAPI the page for account selection shows "Select an account or brand account" - with Google Identity Services it is just "choose an account".

So now my theory is that I might be able to retrieve and store the refresh token for the main Google Account and then access all YouTube accounts connected to it.

  1. Is this correct?

If it is:

  1. When Google wanted to make login more fine granular, not being able to select only a limited number of YouTube accounts seems like a downgrade. Is there any way to counteract this?
  2. How do I know what YouTube accounts are linked to the main Google Account? It does not help to have access to all accounts, when I don't know which they are.

If it is not: How else can I select a specific YouTube account?

Edit:

Code

Regarding the implementation in the frontend: I use React with @react-oauth/google. You can find a preview of that hosted here which can be cloned from here.

Basically the idea would be to let a user log in to the application using the ID Token flow, which corresponds to the button on the left on the preview page. A logged-in user could then grant permission to any of their YouTube accounts, which would correspond to the "Authorization" button on the right.

To reproduce the problem, create a second YouTube account with your main Google Account. The goal would be to find any way to grant permission to query that account using the YouTube Data API.

user20418895
  • 11
  • 3
  • Please edit your question and include your code I would like to test it. IMO google did not think this change though properly but thats just my opinion. – Linda Lawton - DaImTo Jan 02 '23 at 16:33
  • The change feels a bit bumpy to me too from the beginning - although I agree with the change in general. Regarding code: I added links to an implementation that should make it possible to get ready looking into it more quickly than when I share my more complex example. Hope it helps and thanks. – user20418895 Jan 03 '23 at 08:24
  • welcome to stack please read [ask] you need to put an [example] here in your question code on third party sites can change in the future and effect the question – Linda Lawton - DaImTo Jan 03 '23 at 08:43
  • 1
    Thank you! I think this might have already helped to figure it out. Will report back. – user20418895 Jan 03 '23 at 09:45
  • I posted a minimal example as a response that contains the answer to the problem. Thanks for guiding me there. It is neither a problem with Google nor with the react library. – user20418895 Jan 04 '23 at 10:06
  • Did you ever find a good way to go about this? I'm trying to do the same thing, but I really don't want to ask the user for permissions each time they sign in. https://stackoverflow.com/questions/76086285/how-to-get-the-most-recent-scopes-access-token-from-a-google-oauth-refresh-token I'm not sure you can sign the user in without re-asking for scopes every single time. – Joe Apr 23 '23 at 17:59
  • Hi - yes. I solved my problem with the solution posted below. From the link you posted it seems like your problem is different. Will comment there. Edit: Can't. Not enough reputation... Could you outline what you are trying to achieve? You want people to be able to sign in using their YouTube Account? – user20418895 Apr 25 '23 at 06:15

1 Answers1

0

When trying to build a minimal example, I decided to ditch react and the third party library and use the plain gsi library:

   <!DOCTYPE html>
    <html>
      <head>
        <script
          src="https://accounts.google.com/gsi/client"
          onload="initClient()"
          async
          defer
        ></script>
      </head>
      <body>
        <script>
          var client;
          var access_token;
    
          function initClient() {
            client = google.accounts.oauth2.initTokenClient({
              client_id:
                "<your-client-id>",
              scope: "https://www.googleapis.com/auth/youtube.readonly",
              callback: (tokenResponse) => {
                access_token = tokenResponse.access_token;
              },
            });
          }
          function getToken() {
            client.requestAccessToken();
          }
          function revokeToken() {
            google.accounts.oauth2.revoke(access_token, () => {
              console.log("access token revoked");
            });
          }
        </script>
        <h1>Google Identity Services Authorization Token model</h1>
        <button onclick="getToken();">Get access token</button><br/><br />
        <button onclick="revokeToken();">Revoke token</button>
      </body>
    </html>

When I removed the YouTube scope I could not see the YouTube accounts. I then checked the request I made with @react-oauth/google and it turned out that it did not contain the scope in the request it made. This does not seem to be a problem in @react-oauth/google but in my application.

Summary:

  • Make sure to pass the YouTube scope if you want to see YouTube accounts
  • Check the request that is actually being made in the dev tools
user20418895
  • 11
  • 3