Hello, it's me.
For authentication - we always call it "authentication" when login to API. I think it's because we get authenticated to use the endpoints by that.
🤔
When make any request with a HTTP verb and an address (and more), you are able to send HTTP header together. And usually the access_token is in the header because it's kind of safe.
For authentication - we always call it "authentication" when login to API. I think it's because we get authenticated to use the endpoints by that.
🤔
When make any request with a HTTP verb and an address (and more), you are able to send HTTP header together. And usually the access_token is in the header because it's kind of safe.
HTTP verb: DELETE URL (the address): https://www.googleapis.com/youtube/v3/playlistItems
HTTP header: "Authorization: Bearer i-am-access-token"
I send these three and successfully delete a playlist item, from a playlist. I will tell you about how to get the access_token for the rest of this post.
- User sends a request to get a token.
- Internet gives the user the token, and following requests of the user are authenticated.
If this is real, then how do you authenticate the user to ask a token? The above is not the way we do it. I will tell you the steps.
- User sends a request to get a token, with a redirect address "redirect_uri".
- The API server (YouTube API) redirect the user to the redirect address, with a short-lived "code"
- User sends another request with that "code" (Usually a jibberish for safety)
- User logs in with id and password for their account
- The API server gives the user the token
Yes, the above has to happen, to get that token! The user should do it fast, because the code expires quick (in about 30 seconds) and invalid after 1 use. The user should write down the access_token somewhere, because it is needed for the "Authorization" header in most requests it will send to the API.
And what else:
- The address "redirect_uri" should be registered ahead of time.
- You are able to send "scope" for requests use a certain part of API. The scopes should be allowed ahead of time.
- Your app itself should be registered. YouTube / Google will call that "API Client".
- When save the token in the database or anywhere, it should be "encrypted" to be safe.
- The scope should be allowed by the user, when login with id and password (During the time Google login happens. Do not log in if you do not trust them)
Yes, as a developer, you should write code for that. But also you should be trusted. Because otherwise only few users will let you save their access_token to the database of the server you are maintaining. Please take care of your server and database, and do not allow other people to steal the token data. Do not forget encrypting the tokens.
Do not lose decrypting secret.
Thank you for reading this today. I guess it's a bit of content to digest. Just remember there should be token for many requests you should make for your users. Especially when deleting playlist items automatically.
"redirect_uri=...&client_id=...&response_type=code&scope=..."
Query parameters are like above for the initial authenticating request. All the parameter keys are listed in this documentation. The address making this request to is
POST "https://accounts.google.com/o/oauth2/v2/auth"
See you next time then. Thank you!
EDIT
I use "Yt" gem for this. The Ruby code is simple as follows (but what happens underneath this code is the process I explained above).
redirect_uri = "http://localhost:3000/session/auth" scopes = ["userinfo.email", "youtube"] Yt::Account.new(scopes: scopes, redirect_uri: redirect_uri).authentication_url
In this way, I can get the complete URL to make POST to Google / YouTube