Is it possible to ask just for rating permission?
I do not want to administer YouTube videos or managing the account. Just rating videos?
Unfortunately, the YouTube Data API does not have such fine grained endpoint permission scopes.
According to the official documentation, for an app to be allowed to programmatically apply a like/dislike rating or cancel a like/dislike rating, it has to have granted permission of operation by a YouTube account (that is channel) on the following scopes:
Authorization
This request requires authorization with at least one of the following scopes (read more about authentication and authorization).
Scope
https://www.googleapis.com/auth/youtubepartner
https://www.googleapis.com/auth/youtube
https://www.googleapis.com/auth/youtube.force-ssl
These are all the scopes the API defines for this endpoint. Among them there's no one that would let you do only video rating.
Related
I've spent a few hours now looking through the docs + reading other SO posts, and it's still not clear to me how to simply request domain-wide credentials for Google Calendar API (for other domains; not my own).
Our current web app kicks off an OAuth flow to request Calendar API credentials for a single user; however, there doesn't seem to be a simple way like this to request credentials for an entire domain. It seems that acquiring domain-level access requires the admin to manually set up a service account and then pass that information over (https://developers.google.com/admin-sdk/directory/v1/guides/delegation) which is incredibly cumbersome.
With Microsoft's Calendar API, this is a very straightforward process where you simply specify "Application Permissions" and then the OAuth flow must be completed by an Admin to get the expected set of access and refresh tokens. For GSuite, I can find no such equivalent...
To clarify based on some comments, I'm trying to figure out if GSuite has anything equivalent to what Microsoft Graph offers as described here:
https://learn.microsoft.com/en-us/graph/auth-v2-service
The closest I've seen requires publishing to the Google Apps Marketplace; however, the documentation here seems to be quite lacking and it's unclear how things like redirect_uri for handing over credentials to the backend server are handled.
If I've missed any documentation and someone can just point me in the right direction then that would be greatly appreciated.
The best documentation for how to set up domain wide delegation to a service account is -> Perform Google Workspace Domain-Wide Delegation of Authority
request domain-wide credentials for Google Calendar API (for other domains; not my own).
You can not. The admin of the google workspace domain sets up domain wide delegation for service accounts owned by the domain.
there doesn't seem to be a simple way like this to request credentials for an entire domain.
Service account authorization is very different from Oauth2 authorization. Service account authorization is is intended for backend systems that need access to data without requesting user permission.
Oauth2 allows you to grant authorization on a per user basis. The user must grant an application access to their data by accepting the consent screen.
There is no oauth2 flow that would grant your application to all the users on a workspace domain. TBH I think thats a good thing.
Only super administrators can configure domain-wide delegation, this is done in the Google Workspace Admin console
When you enable domain-wide delegation for a service account, basically you are giving it the permission to impersonate any user within your domain
If you need to make Calendar requests on behalf your users, in your app you will need to implement impersonation, that way you will use the service account with wide-domain delegation to make the requests on behalf your users
Here you can find the documentation explaining how to set up wide-domain delegation and an example for making the API calls implementing impersonation https://developers.google.com/identity/protocols/oauth2/service-account#authorizingrequests
Is it possible to generate a Youtube API key having admin access to the Youtube account? or is this function only possible for account owners?
Anyone can create a project on Google cloud console You do not need to be an admin on anything to create an api key.
You should understand though that Api keys are used to access public data via the YouTube api. This has nothing to do with a specific YouTube account. It will just let you access the public methods like Video.Search
All methods that require authorization For example members.list show in their documentation page that they require authorization.
The only authorization method allowed for the YouTube api is Oauth2. Someone with access to the channel will need to authorize your application and grant consent that your application access their YouTube channel on their behalf.
The documentation here does not state you can do it having admin access to the YouTube account only. But instead you need access to the actual Google Account linked to the Youtube Channel in question.
If you do have a Google Workspace subscription and the owner of the channel is one of your managed accounts, then you can access the GCP console and proceed with steps in the documentation to generate the key.
I'm trining to create live stream on youtube using google API. Now it working only when I use oauth authorisation. When I use API key authorisation I get authorisation error (login required)
When I use oauth authorisation - it require to enter confirmation code each time I create new translation. Is it possible to use "liveStreams->insert" method of API with authorisation that does not require entering of confirmation code?
From what you are writing it appears to me that you haven't understood the concept of OAuth and when to use OAuth vs an API key.
Try to think about it this way: You, as a person, have a Google account. This Google account is not the same as your YouTube account (or, as it is more commonly refered to, your YouTube channel). But your Google account is associated with your YouTube channel (of which you can have multiple). Because you are logged in to your Google account and your channel and Google account are linked, the YouTube website knows who you are and gives you access to your channel.
Now you head over to the Google Cloud Console. Here you create a project, which is very similar to a YouTube account in the sense that it, too, is an independent account which in this case represents your app, but is linked to your Google account so the Cloud Console website knows to give you access to the project as long as you are logged-in to your Google account.
HOWEVER, your YouTube account is not linked to your Cloud Console project. When you make an API request with an API key, the API does not see you as in "your Google account", but rather your apps's Cloud Console Project. That's why with an API key, you can only access publicly available data (everything you could "see" when you browse YouTube while not being logged-in).
So, in order for an application to read private channel information or modify channel information, the API needs verification that whoever makes that request is actually allowed to do that. This is where OAuth comes into play.
When you say you have to provide the confirmation code for each request, I think you don't save the access token and refresh token. I highly recommend you read Using OAuth 2.0 to Access Google APIs and Obtaining authorization credentials over on Google Developers to help get you started.
Based on the documentation of Google People API I am using profile scope - https://www.googleapis.com/auth/user.phonenumbers.read and PersonFields=phoneNumbers to read the authenticated user's phone numbers only in their Google profile (none from the contact list). I am using API key and oAuth accesstoken to authorise the request. The google people API is not fetching the phone numbers associated with the profile with the above scope alone. Adding the scope for the entire contact list read access in addition to the above scope, which is www.googleapis.com/auth/contacts.readonly returns the phone numbers from the profile correctly. Is there any way to get user's phone numbers from his/her profile using only the user.phonenumbers.read scope?
I could figure out the problem. For 'user.phonenumbers.read' scope the documentation of people API states - 'your app be given read access to the authenticated user's phone numbers in their Google profile'.
But by 'Google profile' it indicates the Google Plus Profile which is completely different form their core google profile - My Account. People API is fetching information only from the Google Plus Profile.
So even if a user has his/her contact details added in My Account, the People API will not fetch their phone numbers unless they have added them manually in their Google Plus Profile. After adding the contact details I could fetch contact details with 'auth/user.phonenumbers.read' without the need of adding 'auth/contacts.readonly' scope.
I'm working on application which generates reports and statistics about youtubers channels. I couldn't find in Google docs, how the Youtube User can grant read-only access from my application to his Youtube account? (I'm meant something like facebook application).
I'm a little confused how many ways of authentication are in Google API and which one should I use.
When you want to access private channel data, you will need to use OAuth authorization.
The way this works is that your app redirects clients to Google's authorization page, on which they can pick a YouTube channel associated with their Google account. If they are not already logged-in, they will first be asked by Google to log in (authenticate) and then proceed to the authorization page.
Once on the authorization page, they can decide to grant or refuse your application access to whatever it is your application demands access to. This is the important part: When your application redirects the user to the authorization page, it must specify one or more scopes.
Scopes define sets of actions that an application can perform once the user gives their permission. An application cannot perform operations that aren't within the scope of its powers. The three most important scopes of the YouTube API are:
https://www.googleapis.com/auth/youtube: Manage your YouTube account
https://www.googleapis.com/auth/youtube.readonly: View your YouTube account
https://www.googleapis.com/auth/youtube.upload: Manage your YouTube videos
That means that you can ask users to give your application read-only access to their channel by configuring your app to use the https://www.googleapis.com/auth/youtube.readonly scope. This is an example of what the URL that your application redirects its users to could look like:
https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyoutube.readonly&
access_type=offline&
redirect_uri=http%3A%2F%2Flocalhost%2Foauth2callback&
response_type=code&
client_id=CLIENT_ID
If the user accepts, your server will be given an authorization code which it can exchange for a set of access and refresh tokens. The resource server (Google, in this case) will know with which scope these tokens were originally obtained and reject any calls outside of the scope.
This is what the authorization page currently looks like:
For more information, please read 'Using OAuth 2.0 for Web Server Applications' on Google Developers.