1

I'm coding a music website that allows the user to create YouTube lists.

My first try has been with JS:

https://developers.google.com/youtube/v3/code_samples/javascript

The process implies an initial authorization, as you can see in this piece of HTML:

<div id="login-container" class="pre-auth">
    This application requires access to your YouTube account. Please <a href="#" id="login-link">authorize</a> to continue.
</div>

Once you click on the link, a modal like this displays itself:

Modal

So you have to choose an account of your own -that moreover must be included in my GCP profile- to create the list in the YouTube channel related to that account.

But that's not the way I want my website to work: I want all of the users to create all of their lists in my YouTube channel. And only in mine.

So I need that any request the API receives from my website is authorized via the Gmail account related to my YouTube channel exclusively. Moreover, that way the authorization process would become invisible to the user, which it's an advantage. I want them to create their lists by just clicking a single button in my website.

I've been suggested to do all of this server-side -PHP in my case- using a service account, but reading the library docs I've found this:

https://github.com/googleapis/google-api-php-client#authentication-with-service-accounts

Some APIs (such as the YouTube Data API) do not support service accounts.

So... Do I have any other option to automate the authorization process?

Improve this question
1
  • 1
    If I were you I would use a server side PhP, even if there isn't any support for service accounts, on your PhP you can interact with your account (especially your playlists) with OAuth and there is no need for service account. I don't know whether or not you can restrict access on endpoints (to only allow playlist create/add) with your YouTube Data API v3 OAuth credential otherwise by looking at your website JavaScript source code anybody could just destroy your channel. Commented Feb 6, 2022 at 9:25

1 Answer 1

Reset to default
3
+25

But that's not the way I want my website to work: I want all of the users to create all of their lists in my YouTube channel. And only in mine.

Updating a users list requires the consent of the user. If its your YouTube channel you want to update lists to then your going to have to authorize the app.

Unfortunately this is not as easy as you would expect it to be. Normally with other Google Apis you would expect that there be a server to server type of flow. Where you could pre define access. This is called a service account.

The YouTube api does not support service account authorization. You will need to use Oauth2.

Normally with Oauth2 you can request offline access. You can authorize your application once as yourself requesting off line access and get something called a refresh token. This refresh token can then be used at a later date to request a new access token.

You will have a few issues.

  1. Your app will need to be out of the testing phase. If its not your refresh token will expire after seven days and you will need to authorize it again.
  2. your app may also need to be verified by Google.

Now the issue then becomes the fact that you want to use JavaScript. JavaScript uses something called an implicate flow. This flow does not return a refresh token only server sided programming languages do.

So the solution would be to.

  1. Switch to a server sided programing language.
  2. Set your app to production and not testing.
  3. Run your app once and store your refresh token.
  4. Everytime the user wants to access your account use the refresh token to request a new access token.

While this may be a little confusing it does work i have implemented something similar to what you are doing for a client a few years ago.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for your answer. I have no problem in switching to PHP. I just chose JS because I easily found examples of what I wanted to do. Any clue why Google doesn't allow service accounts with YouTube Data API?
I have wondered why they don't support service accounts. My guess is its because this system was not originally created by Google. They bought YouTube there for the systems may not be compatible. If you think back 10 years there were issues with using Google accounts with the api to begin with. It took them a while to get that patched.
All I read about API access implies "users granting consent", but I don't want users to grant anything, I just want them to click a button and relax. What I want to do should be easier than the standard auth process.
By storing the credentials "refresh token" that grants access to your personal YouTube account they wont need to authorize it. It will automatically connect to your own.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.