I need to access the YouTube API, authenticating as a single account so I can access its videos, tags, comments, etc.
A Public API Access key does not seem to cover this scenario as tags aren't visible to the public. Is it necessary to implement OAuth just to authenticate one account? I have no intention of having other users authenticate with the web app - only the YouTube account that belongs to the owner of the web app.
I have the username & password for the YouTube account. Is there no way to authenticate one YouTube account with the API as a single-user?
A Service Account seems most suitable for me, but apparently the v3 API doesn't support them.
Related
I know there is two kinds of API provided by Instagram which with one of them you can read public comments and images and etc. (Graphql) and with another one you can authorize your app to do some stuff on Instagram on behalf of the authorized user.
In our company, we have an internal portal and we want to add an ability to answer to company's comments directly from our portal. Also customer service unit is in charge of this task and they can't have our company's Instagram credentials. I want to know if there is a way to do such a task without any authentication from client side (for example, maybe I could add our Instagram credential from the portals back-end).
I get it that Oauth is used to grant permission to a third party application to access a user's data (like photos on his facebook account) without revelaing his facebook credentials to the third party application. For example, when you try to use an online photo editing tool and you want to load a photo from facebook, facebook will pop up a message asking whether you really want to allow the application to access your data. So at that point facebook just returns a temporary access token and the app can use it to access your facebook photos. (as i understand the scope for this access token is such that it only has permission to access the particular user's photos only) Yes, this sort of a setup is required because you can't trust a third party application that much as to give away your credentials.
Assume somehow instead of oauth, facebook used api key authentication. This would mean that all third party applications that have subscribed for facebook API already have a key which they can use to access facebook's data sources.So that the app can directly take you to your facebook photos and facebook will not notify you that an outsider is trying to access your private data. This approach is not suitable for an api that exposes user sensitive data but for apis that expose not so user specific (like google maps) data, the api key approach should be enough, right ?
So my question is, what are the criterion to decide which authentication type should be used ? And appreciate feedback if my understanding is wrong.
Here are 2 of the standard 4 Oauth2 flows which cater for the scenarios you mention.
Authorisation Code
Client Credentials.
Using your Facebook example above you could think of like this:
Use Authorisation Code flow for your "Oauth" scenario, where your app needs delegated authorisation to access a user's Facebook photos. This means the user must login and grant access to your app and your app must have an API key (client ID) issued by Facebook.
Use the client credentials flow for your "API Key" scenario. This would be when your app needs access to, for example, public Facebook pages / info and thus does not require specific user consent and can just use its API Key (Client Id & Client Secret)
I am making a widget for my iPhone to fetch data about my Instagram followers. I won't be putting it on the App Store, and I won't be fetching any other users' data.
Can I do this? I have tried to figure out what to do but I think I have to register my website, even though I'm not making a website and this won't be shared with anyone else.
As stated in Instagram Developer Documentation, you will have to register your application before using the API.
1. Register
We'll assign an OAuth client_id and client_secret for each of your
applications.
2. Authenticate
Ask users to authenticate and authorize your application with
Instagram.
3. Start making requests!
Make requests to our API Endpoints with the users' OAuth credentials.
The takeaway here is that you'll need the OAuth credentials to access the API.
I have a website where I was allowing user logins based on my own database. I have migrated this login system to Google+ sign-in and it worked well for UI based login workflow.
My website also allows users to perform some operations through our custom REST API. I want my API users to go through google sign-in as well. Does google provide a standard workflow where our end-users authenticate themselves from google and send auth token to my API?
If there is no standard workflow defined by google, I have thought of hack-ish way where users use google refresh token as API key. I will not store refresh token in DB, rather Users will send the refresh key to my API in form of API access key. API will generate access token from google. Users will use the access token as session key for further requests (for abt 1 Hr). Is it right way to go forward? Is there any security flaw in this?
I was just wondering, I want to associate a Twitter and LinkedIn account with my systems accounts. Which would allow them to post to interact with them without needing to log in to the other systems.
Is there a way to store the social (twitter / LI) usernames and passwords and associate them with my system and vis versa.
E.g. If I login using my native details (email / password) I can access the API features of my social network accounts?
Thanks in advance,
Chris
I can't speak for Twitter, but with LinkedIn you could follow this basic workflow:
Register an 'application' with LinkedIn. Your site will use this application for all communication with the LinkedIn API.
Have the user authorize your site (your application really), to access their account via the LinkedIn API.
Retrieve the user's unique LinkedIn ID, as well as their access tokens, and store those in your user account database, associated with their existing account.
Then, when they return and log in to your site, any calls you need to make to LinkedIn can be done via the stored access token, rather than having to have them manually allow you to have access again.