Youtube oAuth promts authorization window every time I make request

Asked 27/12, 2016 at 13:39 Answered 8/5, 2019 at 10:48

Solved oauth oauth-2.0 youtube-api google-oauth youtube-data-api

Here is my work flow for getting access token and refresh token for youtube api. Im generating authorization url with parameters

access_type=offline, response_type=code, redirect_uri=uri, scope=scopes, state=state, client_id=id

from authorization url I´m receiving authentication code, then I´m generating another url to get access_token and refresh_token using code from authorization url with these parameters

code: code, client_id: CLIENT_ID, client_secret: CLIENT_SECRET, redirect_uri: serviceCallback, state: state.callback, grant_type: "authorization_code"

As far as I know user should complete this process only once and then it should be automatic. My problem is that I´m always have to complete authorization and I´m getting always new access_token and refresh_token without forcing it on request.

here is code part where I´m getting authentication url

getAuthUrl: function(scopes, applicationCallback, serviceCallback, siteId,
selectChannel, websiteUrl) {
var requestedClientId = CLIENT_ID;
var scopess =
  "https://www.googleapis.com/auth/yt-analytics.readonly https://www.googleapis.com/auth/youtube.readonly https://www.googleapis.com/auth/userinfo.email " +
  scopes.replace(",", " ");

return "https://accounts.google.com/o/oauth2/auth?" +
  "access_type=offline" +
  "&response_type=code" +
  /*"&approval_prompt=auto" +*/
  "&redirect_uri=" + serviceCallback +
  "&scope=" + scopes +
  "&state=" + JSON.stringify({
    service: NAME,
    callback: applicationCallback,
    scopes: scopes,
    siteId: siteId,
    selectChannel: selectChannel,
    websiteUrl: websiteUrl
  }) +
  "&client_id=" + requestedClientId;
  },

From there Im getting back code and using that code, clientID and clientSecret to get access token and refresh token

getAuthTokens: function(code, state, res, serviceCallback) {
// Google oAuth endpoint
var endpoint = "https://www.googleapis.com/oauth2/v4/token";
const scopes = state.scopes.split(" ");
// Setup request data
var data = {
  code: code,
  client_id: CLIENT_ID,
  client_secret: CLIENT_SECRET,
  redirect_uri: serviceCallback,
  state: state.callback,
  grant_type: "authorization_code"
};


request.post(endpoint).send(data).type('form').set('Accept',
      'application/json').end(function(err, oAuthResponse) {});
    },

I was using wrong endpoint url I changed it to different one to one provided by youtube api documentation and removed state parameter from data variable but still doesnt fix the problem

new endpoint url

var endpoint = "https://accounts.google.com/o/oauth2/token";

I´m really confused right now because I´m not forcing authorization and on google apps section there is my app already authorized and it does not update authorization that means it gives permission only first time and after that when I´m pressing allow it doesn´t do anything. OAuth should check if I have refresh token or not, so my conclusion is that I don´t fully understand how it should work or I´m somehow testing everything on debug or test mode where authorization prompt is automatically forced.

I would be really thankful for any kind of help because I feel like I tried everything.

Panzer answered 27/12, 2016 at 13:39 Comment(1)

you will need to post your code itself. You should only be prompting the user authentication once in your code. Once you have a refresh token you will then be able to use it when ever you like to request a new access token. Your problem probably has to do with the fact that you are requesting access of the user all the time when you don't need to. – Signpost 2/1, 2017 at 8:21

The issue is that the access token that you are using has expired before the next time you use as you have not updated the access token manually using the refresh token.

You need to use the refresh token to update the access token if [ (time you last updated the access token) + (the expiry time) ] has already surpassed.

The concept of refresh tokens is that if an access token is compromised, as it is short-lived, the attacker has a limited time period in which it can be used. Refresh tokens, if compromised, are useless because the attacker requires the client id and client secret in addition to the refresh token in order to gain an access token.

The YouTube API documentation demonstrates the procedure here

By default, the expiry time is around 3 seconds.

This will surely, work in your case.

Commorancy answered 17/1, 2017 at 17:32 Comment(0)

Adding the following parameter to your authentication object may help...depending on your requirements:

prompt: 'none'

This would mean no consent is gained or needed, after an initial authorization to use the app.

Melpomene answered 8/5, 2019 at 10:48 Comment(0)

-1

Go to the my accounts settings of google for this account---> go to connected apps and sites ----> manage apps: Over there can you see the permissions for youtube like this:

Joashus answered 28/12, 2016 at 8:59 Comment(3)

This does not even remotely try to address the question. – Signpost 2/1, 2017 at 8:22

Well it might, since this the place where all the permissions are present for google apps or any third party apps. If the permission is not present here then it has to be added so that it does not keep on repeating asking for permission. – Joashus 3/1, 2017 at 10:18

It adds permissions all I need up there and it does not disappear from there – Panzer 6/1, 2017 at 8:33

Recommended topics

Hot tags