Search code examples
oauthoauth-2.0youtube-apigoogle-oauthyoutube-data-api

Youtube oAuth promts authorization window every time I make request


Here is my work flow for getting access token and refresh token for youtube api. Im generating authorization url with parameters

access_type=offline, response_type=code, redirect_uri=uri, scope=scopes, state=state, client_id=id

from authorization url I´m receiving authentication code, then I´m generating another url to get access_token and refresh_token using code from authorization url with these parameters

code: code, client_id: CLIENT_ID, client_secret: CLIENT_SECRET, redirect_uri: serviceCallback, state: state.callback, grant_type: "authorization_code"

As far as I know user should complete this process only once and then it should be automatic. My problem is that I´m always have to complete authorization and I´m getting always new access_token and refresh_token without forcing it on request.

here is code part where I´m getting authentication url

getAuthUrl: function(scopes, applicationCallback, serviceCallback, siteId,
selectChannel, websiteUrl) {
var requestedClientId = CLIENT_ID;
var scopess =
  "https://www.googleapis.com/auth/yt-analytics.readonly https://www.googleapis.com/auth/youtube.readonly https://www.googleapis.com/auth/userinfo.email " +
  scopes.replace(",", " ");

return "https://accounts.google.com/o/oauth2/auth?" +
  "access_type=offline" +
  "&response_type=code" +
  /*"&approval_prompt=auto" +*/
  "&redirect_uri=" + serviceCallback +
  "&scope=" + scopes +
  "&state=" + JSON.stringify({
    service: NAME,
    callback: applicationCallback,
    scopes: scopes,
    siteId: siteId,
    selectChannel: selectChannel,
    websiteUrl: websiteUrl
  }) +
  "&client_id=" + requestedClientId;
  },

From there Im getting back code and using that code, clientID and clientSecret to get access token and refresh token

getAuthTokens: function(code, state, res, serviceCallback) {
// Google oAuth endpoint
var endpoint = "https://www.googleapis.com/oauth2/v4/token";
const scopes = state.scopes.split(" ");
// Setup request data
var data = {
  code: code,
  client_id: CLIENT_ID,
  client_secret: CLIENT_SECRET,
  redirect_uri: serviceCallback,
  state: state.callback,
  grant_type: "authorization_code"
};


request.post(endpoint).send(data).type('form').set('Accept',
      'application/json').end(function(err, oAuthResponse) {});
    },

I was using wrong endpoint url I changed it to different one to one provided by youtube api documentation and removed state parameter from data variable but still doesnt fix the problem

new endpoint url

var endpoint = "https://accounts.google.com/o/oauth2/token";

I´m really confused right now because I´m not forcing authorization and on google apps section there is my app already authorized and it does not update authorization that means it gives permission only first time and after that when I´m pressing allow it doesn´t do anything. OAuth should check if I have refresh token or not, so my conclusion is that I don´t fully understand how it should work or I´m somehow testing everything on debug or test mode where authorization prompt is automatically forced.

I would be really thankful for any kind of help because I feel like I tried everything.


Solution

  • The issue is that the access token that you are using has expired before the next time you use as you have not updated the access token manually using the refresh token.

    You need to use the refresh token to update the access token if [ (time you last updated the access token) + (the expiry time) ] has already surpassed.

    The concept of refresh tokens is that if an access token is compromised, as it is short-lived, the attacker has a limited time period in which it can be used. Refresh tokens, if compromised, are useless because the attacker requires the client id and client secret in addition to the refresh token in order to gain an access token.

    The YouTube API documentation demonstrates the procedure here

    By default, the expiry time is around 3 seconds.

    This will surely, work in your case.