General question about the OAuth 2.0 flow

[abanjo]

Hi,

i'm newer on OAuth 2.0, so i have some doubts about how to use it.

I want to implement a login button on my site in order to permit user to subscribe and add comments to my Youtube Channel. (OAuth 2.0 Web server implementation)

When user click to "login" i open a pop-up, and redirect user to google server (https://accounts.google.com/o/oauth2/auth) in order to get the "code". In this step user must insert username / password ( if is not logged ) and the confirm that he wants to allow my site do access his profile on Youtube. Then i perform a POST to (https://accounts.google.com/o/oauth2/token) to get the access token that must be used in the Youtube API... for example to add comment to a video. I can also store the "refresh token", so that i can obtain a new access token without user interaction.

Here my question:

1) I noticed that every time i click on "login", user must always confirm that he want to add permission to my site. Why? i'm using "approval_prompt=auto" parameter.. this parameter should not prevent this behavior?

2) The "refresh token" have an expiration time? For example if i store it in a database associated to an user, it can use it to allow user to add comment without perform the login process? In other words... when i should use it?

Thanks

Davide

[Marius Scurtescu]

Hi Davide,

The auto-approval flow for response_type=code is not supported just
yet, but it is coming soon.

Refresh tokens do not expire, you can store them and bypass the login
process if you want. They will stop working only if the end user
explicitly revokes them.

Marius

[abanjo]

Hi Marius,

thanks for your answer!

I'm doing some tests just to understand better the process:

- I'm logged in with user "A" ( es: in gmail ).

- I go to my site and i follow all the steps:  add consent to my site for youtube api, get the "code", request "access_token" and "refresh token".

- I subscribe user "A" to my youtube channel with this API "https://gdata.youtube.com/feeds/api/users/default/subscriptions". With "default" i asking to subscribe the current logged in user.

- I save the "refresh_token" for further use

All works well!

Subsequently:

- I perform a login with a different user... "B"

- I use the "refresh_token"  ( the one from user "A" ) and i use it to get a new "access_token"

- Then i try to subscribe user "B" to my YT channel. I expect something like "access denied".. instead i receive  "Subscription already exists." message. So the "default" user is not "B" but "A"!

Here my questions:

1)  Is correct to say that a "refresh_token" is 1 to 1 with a single user and all operations with the API refers to the user associated to it? This token can change only if the user remove the consense.

2) An user that visit my site can be a returning user that already has given me the consense to perform actions on his youtube profile. I want to let him to perform actions ( es add comment to a video ) without prompt another time "give me your consense". Actually, i'm storing the "refresh_token" in a session, but this "save me" only during the current navigation. If he close the browser at the next visit is newer for me! I can store the "refresh_token" to a database, but associated to which key? i need a user id! Is it possibile to do that or i'm using OAuth in a wrong way? 

Actually, if i don't have a "refresh_token" in session ( obviously first i check the "access_token" ) , i force user to do all the steps, but i can't bypass the consense, almost since Decembre with the new feature active ( approval_prompt=auto ).

3) Another strange behaviour is that if i'm not logged in with a google account, but i try to use a previously stored "refresh_token" for subscribe me to YT Channel i can do it! So for Google is not important if an user is currently logged in... but if i have a valid "refresh_token" :-O . I know that this is very usefull in a batch process, but is also very dangerous from user point of view. For example i can subscribe him to other channels also not related to my site, or add spam comments to video... ecc... What do you think about this?

Thanks

Davide

[Nischal Shetty]

On Wednesday, November 16, 2011 5:57:06 PM UTC-3, abanjo wrote:

Hi Marius,

thanks for your answer!

I'm doing some tests just to understand better the process:

- I'm logged in with user "A" ( es: in gmail ).

- I go to my site and i follow all the steps:  add consent to my site for youtube api, get the "code", request "access_token" and "refresh token".

- I subscribe user "A" to my youtube channel with this API "https://gdata.youtube.com/feeds/api/users/default/subscriptions". With "default" i asking to subscribe the current logged in user.

- I save the "refresh_token" for further use

All works well!

Subsequently:

- I perform a login with a different user... "B"

- I use the "refresh_token"  ( the one from user "A" ) and i use it to get a new "access_token"

- Then i try to subscribe user "B" to my YT channel. I expect something like "access denied".. instead i receive  "Subscription already exists." message. So the "default" user is not "B" but "A"!

Here my questions:

1)  Is correct to say that a "refresh_token" is 1 to 1 with a single user and all operations with the API refers to the user associated to it? This token can change only if the user remove the consense.

Yes.

 

2) An user that visit my site can be a returning user that already has given me the consense to perform actions on his youtube profile. I want to let him to perform actions ( es add comment to a video ) without prompt another time "give me your consense". Actually, i'm storing the "refresh_token" in a session, but this "save me" only during the current navigation. If he close the browser at the next visit is newer for me! I can store the "refresh_token" to a database, but associated to which key? i need a user id! Is it possibile to do that or i'm using OAuth in a wrong way? 

Actually, if i don't have a "refresh_token" in session ( obviously first i check the "access_token" ) , i force user to do all the steps, but i can't bypass the consense, almost since Decembre with the new feature active ( approval_prompt=auto ).

When a user is redirected to your site with the code for the first time, you use that code to obtain an access token and a refresh token. Once you have these, make a call to obtain the user's profile information. In the profile information you will obtain the unique user id that google identifies the user with. Query your datastore to check if a user with that id already exists. If user exists store ONLY the access token (refresh token should be null if you have offline access enabled). If user does not exist store BOTH the access token  and the refresh token against this user id.

Once you have done the above and user logs out of your application and comes in again, you would again obtain a code when the user logs in. Follow the same procedure above.

 

3) Another strange behaviour is that if i'm not logged in with a google account, but i try to use a previously stored "refresh_token" for subscribe me to YT Channel i can do it! So for Google is not important if an user is currently logged in... but if i have a valid "refresh_token" :-O . I know that this is very usefull in a batch process, but is also very dangerous from user point of view. For example i can subscribe him to other channels also not related to my site, or add spam comments to video... ecc... What do you think about this?

Yes, you can do that. That is what offline access allows you to do. Google also displays something on the lines of "this application would be able to access your data anytime". So, you can subscribe users to any channel in a batch process. Once a few users start complaining about your app it would be banned. But yeah, until then you can do this.

 

Thanks

Davide

[Nischal Shetty]

These things would hold true only after December 7th when google allows you to not force a user to authorize your app each time. Until then the refresh token would be retrieved on each request.

[Dusan Vrban]

Just want to be sure... I have a test app here.

Everything fine, but indeed - whatever I did, user has to authorize the app each time.

What you are saying is that from December 7th, these reauthorizations are history? If app is authorized, I can "refresh" user's data silently in the server (though I don't see the point to hold that data in my database).

Basically, all I want is just to get rid of login button (via small iframe on the page) if I'm logged in to Google. If the user allowed my app, this iframe should just say "Hi Dusan" - after December 7th?

[Nischal Shetty]

Yes, that is how it should be.

--
-Nischal

twitter: NischalShetty

facebook: Nischal

  

[Marius Scurtescu]

Hi,

What you can do now is to add the approval_prompt=auto parameter and that will give you the behavior that will be on after December 7th.

Let me know if that worked for you.

Thanks,

Marius

[Dusan Vrban]

Few days ago it didn't work. Will try during weekend I hope. It is not
urgent, as long as it will work after Decembre 7th.

On Dec 1, 1:47 pm, Marius Scurtescu <mscurte...@google.com> wrote:
> Hi,
>
> What you can do now is to add the approval_prompt=auto parameter and that
> will give you the behavior that will be on after December 7th.
>
> Let me know if that worked for you.
>
> Thanks,
> Marius
>
> On Tue, Nov 29, 2011 at 12:20 PM, Nischal Shetty

> <nischalshett...@gmail.com>wrote:

>
>
>
>
>
>
>
> > Yes, that is how it should be.
>

> > On 30 November 2011 01:38, Dusan Vrban <dusan.vr...@gmail.com> wrote:
>
> >> Just want to be sure... I have a test app here<http://plus.delo.je.kainoto.domovanje.com>

> >> .
>
> >> Everything fine, but indeed - whatever I did, user has to authorize the
> >> app each time.
>
> >> What you are saying is that from December 7th, these reauthorizations are
> >> history? If app is authorized, I can "refresh" user's data silently in the
> >> server (though I don't see the point to hold that data in my database).
>

> >> Basically, all I want is just to *get rid of login button (via small
> >> iframe on the page)* if I'm logged in to Google. If the user allowed my

> >> app, this iframe should just say "Hi Dusan" - after December 7th?
>
> > --
> > -Nischal

> > twitter: NischalShetty <http://twitter.com/nischalshetty>
> > facebook: Nischal <http://facebook.com/nischal>
>
> > <http://www.justunfollow.com>   <http://www.grabinbox.com>

[abanjo]

Hi Nischal,

i'm testing the "approval_prompt=auto", but it still don't work.

Well... something is changed, because now the user is not prompted with autorization step, but the subsequent post request ( to get the "access token" ) give me an error about the "redirect_uri" value. I'm sure that it is correct... infact changing from "auto" to "force" in the first step all work well ( but with confirmation step ).

So, i will wait after  7 December to check it again.

Just another question. If an user give me a consense to get his profile information, how i can use them? In other words, can i store the data in a database to have my personal copy? I'm happy to let's Google's users to login to my site, it's a good thing for both Google and for me. If my site will be successful will encourage new users to create a Google Account, and at the same time I can take advantage of the many Google users.

In my web site an user can subscribe to my YT channel, but also do other thing not related to the "video section". The problem is that from YT Api i can't extract the full list of subscribers, so save data to my DB should be a solution for that. So, i want to separate the users that want only video (YT) and the ones are interested in all site. I will still need Google OAuth because username / password are on its server, but other precious information ( name, surname, email ecc... ) can be stored on my infrastructure.

There is a policy on that that must be followed ?

For example i can send a newsletter to all email stored?

Thanks
Davide

 

[Nischal Shetty]

@Marius suggested the 'auto' but I remember using it and it did not work a few weeks back. I too am waiting for december 7 and then we can all try the regular flow.

[Nischal Shetty]

@abanjo I haven't really read Google's TOS but as far as I can tell you are allowed to save the general user info and you can send them emails once you have obtained the same. If those are newsletters, there is usually a requirement that at the time of obtaining the email you specify the user about the same and provide them with an option to opt out.

[abanjo]

Thanks for your suggestions Nischal! :-)

I will investigate on TOS, but i think you are right.

Davide

[Marius Scurtescu]

Hi Nischal,

'auto' should work now, please give it a try if you have time.

Marius

[Nischal Shetty]

Cool! I'll test this out then. Thanks!

[Alexander Herrera]

i just try the auto parameter but this does not work, first dont show me the permission dialog box, instead it just go directly  to the application , and the  code in the url  that gives me is this:

Code=kAcAH+1Ng3n18WWm1oJH8r+L0EA7xHkvzaTt03gbtOPbPWQRQxLxD+46cWDH4na6BKDlokVZAl7cX1oXT59Rok4HW9rG6fKKdOubA/vLLLq7GIbyTDfrI1W9mo=

I guess this is a wrong code, because when am trying to change it to the access_token give me an error 

{  "error" : "invalid_grant"}

i just add the follow code request

"https://accounts.google.com/o/oauth2/auth?"+

"scope=https://www.googleapis.com/auth/userinfo.profile+https://docs.google.com/feeds/default/private/full&"+

"redirect_uri=https://myapp.appspot.com/app.html&"+

"response_type=code&"+   

"client_id=xxxxxxxxxxxxxxxxxxxx&"+

"approval_prompt=auto&"+

"access_type=offline";

some one know why is this happening? hope some one can help.

Thx in advance

[Keith Ellis]

I'm getting the same problem. As of today, I'm not seeing the authorization page but instead getting redirected with an authorization code that I'm unable to exchange for a access token???

[Nischal Shetty]

FYI, "auto" would mean you wouldn't see the authorization page if the app has already been authorized.

Though I'm not sure why you're not able to get an access token. Try removing the permission for the app and going through the authorization process again.

On 8 December 2011 18:30, Keith Ellis <ellis...@googlemail.com> wrote:

I'm getting the same problem. As of today, I'm not seeing the authorization page but instead getting redirected with an authorization code that I'm unable to exchange for a access token???

[Keith Ellis]

It seems to work ok if I set the approval_prompt to 'force' but if it's 'auto' or not set at all then I get a longer auth code that errors when exchanging for the access token.

[Nischal Shetty]

You should also know when it's set to auto, the refreshToken would not be returned, it would be null.

So, in such cases, I presume your previously saved accessToken should still be valid. You don't really need to obtain a new accessToken.

In case you still want to retrieve a new accessToken, try using the previously saved refreshToken. 

I'm guessing, since the refreshToken is null the second time a user goes through the oAuth flow, you end up using a null refreshToken to obtain an acessToken and hence the problem.

Let me know if it works.

On 8 December 2011 18:51, Keith Ellis <ellis...@googlemail.com> wrote:

It seems to work ok if I set the approval_prompt to 'force' but if it's 'auto' or not set at all then I get a longer auth code that errors when exchanging for the access token.

[Keith Ellis]

I'm not getting that far. I'm trying to identify a user by getting their Google ID from https://www.googleapis.com/auth/userinfo.profile. Ordinarily I would pass the auth code to get the access token to work out who the user is. Until I know who the user is there isn't any point storing tokens - unless I'm doing this completely wrong!