Develop Reference

How to set up google api project for an app which needs either of 2 scopes?

We build a ad-network for bloggers (instagram, youtube etc). We want to use google api for 2 use cases:
Register user with oauth which requires
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
both non-sensitive scopes (but still requires app verification)
If user wants to add his youtube account into our system, we need youtube data v3 and youtube analytics. Which must be sensitive.
Please advise, how to better set it all up: create 2 different apps (one for sign up, another for youtube) or make one app and request scopes depending on scenario?

How to add the marketing materials to Google Workspace Marketplace

We successfully submitted an OAuth App and got verification approval -
But throw out the process, we didn't understand where we uploaded our branding assets to be displayed on the marketplace; we read the documentation, but we couldn't find it during the process.
Pls help

In API & Services > OAuth Consent screen you specify the branding information that is shown in the OAuth consent screen of the applications that use that cloud project. See https://developers.google.com/workspace/marketplace/configure-oauth-consent-screen.
In the Google Workspace Marketplace SDK you specify the listing assets. See https://developers.google.com/workspace/marketplace/enable-configure-sdk.

YouTube Data API: Permission to video rating only

Is it possible to ask just for rating permission?
I do not want to administer YouTube videos or managing the account. Just rating videos?

Unfortunately, the YouTube Data API does not have such fine grained endpoint permission scopes.
According to the official documentation, for an app to be allowed to programmatically apply a like/dislike rating or cancel a like/dislike rating, it has to have granted permission of operation by a YouTube account (that is channel) on the following scopes:
Authorization
This request requires authorization with at least one of the following scopes (read more about authentication and authorization).
Scope
https://www.googleapis.com/auth/youtubepartner
https://www.googleapis.com/auth/youtube
https://www.googleapis.com/auth/youtube.force-ssl
These are all the scopes the API defines for this endpoint. Among them there's no one that would let you do only video rating.

OAuth2 login with Nativescript - Avoiding external browser / webview is possible?

I'm working on a new project with OpenId Connect based security. Being a novice with this technology (and with mobile development too), I wasn't able to find an exact answer to my question.
Little introduction to the project:
Generated the API module / entity administration app with jHipster (Spring boot, Keycloak as Identity provider, and PostgreSql for DB).
Generated the mobile app with Nativescript-Angular
Installed Nativescript-OAuth2 plugin
The client (NS app) is the part I'm working on now.
Before giving up and switch to something simpler, I'd like to ask if using a login form inside the app, without opening an external web browser to insert credentials, it's approved by the official OAuth2-OIdC specification.
My concern is that I've read in the Nativescript-OAuth2 plugin board, here that Apple is not accepting external redirections like the one mentioned above.
To be honest, I agree with that, the user experience could be affected by this view switching, and become confused.
The idea of a normal login form, seems possible and already done, as you can see in this article.
We're talking about a jhipster project, this time integrated with React Native.
The authentication happens entirely in the app, without any external browser help, so it's possible.
Personally I've read that OAuth2 specification tells explicitly to use the external browser, but maybe my interpretation is not correct.
The purpose of this question is to clarify if is possible to follow the OAuth2 / OpenId Connect standard, by means of "simple" HTTP requests, without any external browser or WebView?
I know that the OAuth2 / OIDC Standard websites are reporting any kind of information. It's true that at first glance, coming from web development, or simpler security methods, it's a bit hard to know which way to follow. Things are even more complicated when you are using NativeScript, as it's an Angular app transpiled to native Android - iOS code.
I take the view that this question needs to be addressed as this security protocol is becoming the standard now, and the same is for frameworks like NativeScript, React Native, AppCellerator Titanium, etc.
Note: On NS website there's a document telling you that it's easy to implement OAuth2 login with featured Kinvey's extensions. The problem is that when you have finished to configure your environment, and start following that doc, then you discover that Kinvey services are not free any more.

Yes, it is possible using Resource Owner Password Credentials Grant
+----------+
| Resource |
| Owner |
| |
+----------+
v
| Resource Owner
(A) Password Credentials
|
v
+---------+ +---------------+
| |>--(B)---- Resource Owner ------->| |
| | Password Credentials | Authorization |
| Client | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+---------+ +---------------+
Note, that Resource Owner is the User and Client is the Application.
This login-type usually has to be turned on. By many Identity Providers such as Keycloak this option is called Direct Access Grants and might be turned on in the settings of the client.

Using ACS with Windows Phone

I'm lost. I'm developing a Windows Phone 7 app and I want to do the following:
I want to use Facebook, Live ID, Google and Yahoo to let user sign in my app. And also, it they don't have any of those account I will need to implement a sign up interface on Windows Azure.
I also need to store some ID from user signed in my app. For example, Facebook returns an ID for that user. But Google, Live ID and Yahoo! returns another ID. I will store this on a user table with these columns:
ID | Sing-IN-Type | ID-returned
ID: Primarty Key.
Sing-IN-Type: Foreign key to a table with Facebook, Google, etc. names.
ID-returned: ID returned by those webs.
I've read about ACS v2 and I'm not sure it will fit with my requisites. What do you think?

The ACS team has posted a sample that demonstrates how to implement federated auth in a phone app using the silverlight browser control:
http://acs.codeplex.com/wikipage?title=ACS%20Windows%20Phone%20Sample&referringTitle=Samples
The sample doesn't parse the token to extract the claims you're after, but it wouldn't take much code to do it.
After logging in, the application caches the token returned from ACS in a RequestSecurityTresponseStore, which is a member of the MainPage. There are Simple Web Token (SWT) handlers included in the DPE.OAuth project that you can make use of. In the context of MainPage.xaml.cs, the code would look like this:
SimpleWebToken swt = (SimpleWebToken)SimpleWebTokenHandler.GetTokenFromString( _rstrStore.SecurityToken );
You should then find the IdentityProvider (sign in type) and NameIdentifier (user ID) claims that ACS issued inside the swt.Parameters.
If you want to host your own custom sign in page in this scenario, ACS provides functionality for that as well:
http://msdn.microsoft.com/en-us/library/gg185963.aspx

You could also look at the hands on labs from the identity framework.