0

On my site, I want to be able to retrieve whether my own YouTube account goes live. After looking around, I found this endpoint:

GET https://www.googleapis.com/youtube/v3/liveBroadcasts,

that would help me do just that. However, the main problem I found is that it requires an OAuth2 token, and the only way I could find to generate one was going through the whole Login with Google approach.

My main problem is that I want anyone who visits my site, to be able to see whether I'm live or not. I'm not looking for workarounds or using web crawlers either - I want to be able to use this specific endpoint. Is that even possible?

In other words, is it possible to get my own access token manually, and just plug that into the API request to access the endpoint directly? Or is this just impossible?

stvar
  • 6,551
  • 2
  • 13
  • 28
ENBYSS
  • 819
  • 1
  • 10
  • 22
  • I do not work with the YouTube API. Using a service account should meet your requirements. https://developers.google.com/youtube/v3/guides/auth/server-side-web-apps – John Hanley Sep 12 '21 at 02:40
  • Unfortunately, by Google's design, @John Hanley, [YouTube Data API does not work with service account](https://stackoverflow.com/a/64388641/8327971). – stvar Sep 12 '21 at 08:51
  • @stvar - Can you comment on this from my link: ***YouTube Data API supports the service account flow only for YouTube content owners that own and manage multiple YouTube channels***. I know Google OAuth well but not the YouTube API. – John Hanley Sep 12 '21 at 08:58
  • @John Hanley: Indeed, [you're quote is valid](https://developers.google.com/youtube/v3/guides/auth/server-side-web-apps), but, content owners encompass an entirely different use-case of YouTube Data API. And, unfortunately, the official documents does not enlighten it at all. In the past, I have seen SO users trying to employ service accounts with YouTube Data API to no success. – stvar Sep 12 '21 at 09:06

2 Answers2

3

First thing to know about YouTube Data API is the following: for to issue authorized request to it, one cannot alleviate authentication through the browser.

You may read the doc OAuth 2.0 Flow: Installed apps for thorough info about the authorization flow on standalone computers.

The doc specifies step 4 -- Handle response from Google -- and step 5 -- Exchange authorization code for refresh and access tokens. By the initial OAuth flow, you get two tokens: a short-lived access token and a refresh token that produces access tokens on demand. Authentication without browser is not possible, but once having a refresh token, it can be traded programmatically for access tokens:

  1. Initialization: obtain via browser authentication a refresh token;

  2. Iterations: as many times as needed, query the API for an access token -- without any browser interaction! -- using the refresh token from (1), then proceed further with the call to the target API endpoint (again, without any browser interaction).

Note that the steps (1) and (2) may well be separated such that (1) is executed by a standalone (local) computer that stores the refresh token into a file; later, upon a secure transfer of that file on a different remote computer (e.g. a server that does not have a browser installed), execute (2) on that remote computer, repeatedly as needed (see Using OAuth 2.0 for server-side, standalone scripts.)

stvar
  • 6,551
  • 2
  • 13
  • 28
  • Ah! So if I'm getting this right, I go through the browser flow to get the Access+Refresh tokens for my account, and then I can store the Refresh token somewhere and just use that from that point on to retrieve tokens right? – ENBYSS Sep 12 '21 at 10:44
  • Yes, that's the way it is. But notice (by reading the quoted spec) that you need your refresh token be of `offline` type. – stvar Sep 12 '21 at 10:44
  • It worked perfectly! Now I can use the refresh token to just generate access tokens. Thanks! Just gotta make sure I store it securely. – ENBYSS Sep 12 '21 at 14:49
  • One more caveat about refresh tokens: this kind of tokens [*do expire too*](https://stackoverflow.com/a/66476673/8327971). – stvar Sep 12 '21 at 15:20
0

Sounds right:

  1. complete the flow (once) with your own google account,
  2. cache the token server-side, and
  3. include the API’s response when serving your page.

Pitfalls:

  1. How long are OAuth tokens valid for? (The API will start returning errors if this occurs)
  2. How often will the page be generated vs. what rate-limits does the API have? ( you may have to request status at most once per few minutes, and cache the response)
Adam Smooch
  • 1,167
  • 1
  • 12
  • 27