Search code examples
oauthgoogle-apiyoutube-apigoogle-oauthgoogle-api-php-client

Upload video to Youtube through API without OAuth everytime

I have a PHP website, say for the purpose of some other users contributing videos to my youtube channel. I have successfully setup OAuth and Google API to upload a video from that website to my youtube channel.

The problem I am facing is, I have to authorize for every session from the website to upload. So when I give the link to someone else and ask them to upload they will not be able to bypass OAuth and upload. (I can't give my credentials).

I went through the PHP documentation for Google OAuth but it wasn't very clear. I am kind of guessing we have to store the token during the initial auth and then use it for further operations, but not able to figure out how exactly to do that. Any help/snippets on how to do this?

Solution

  • The OAuth 2.0 server-side flow, independently from its implementation in the YouTube API, will return two tokens after proper authentication and authorization by the resource owner (= channel owner = you, in this case). These two tokens are:

    1. An access token. It is used to query the API and perform operations (e.g. uploading a video). Access tokens expire over time.
    2. A refresh token. It is solely used to obtain new access tokens when the old one has expired. The refresh token cannot be used to query the API.

    As long as the server application keeps track of at least the refresh token (since it can get new access tokens with it at any time), it is able to query the API without the need for consecutive authorization by the resource owner (until the resource owner manually revokes the application's access to the resource).

    At this point, anybody who is in possession of a valid access token is able to perform operations on behalf of the resource owner (within the scope that he has given his permission). If you want your users to be able to directly upload to your channel from their own machines, you could theoretically provide them with the access and refresh tokens. This procedure has a few downsides, however:

    1. The API cannot distinguish between you and them. If you can do everything, so can they. Everything they do is your responsibility. That is the main reason the tokens are to be considered a secret.
    2. There is only one valid access token per resource owner per application at any time. If one client uses the refresh token, all other clients will find themselves locked-out and have to use the refresh token again, thus again locking out all the others and so forth. This means that operations can only be performed one user at a time.

    The go-to solution is to implement your own authentication mechanism to guard access to your application, which in turn can access your channel. I have no experience with uploading videos with the YouTube Data API v3, so the only way I can think of is that users upload the video to your server which will then forward it to YouTube's upload servers. That of course means that all traffic is routed through your application server, which is obviously not perfect. But that's another matter for another question.