I just picked up the Google API today to allow some users of our site to upload videos to our own organization YouTube account. I Don't want our users to know our user name and password, but rather give them the option if they want to upload videos to youtube or not. If they choose to do it, they check on a check box and hit the submit button.
I keep seeing over, and over in the Developers guide that ClientLogin, which to me looks like the best option to implement what I want to do, is not a good idea for user authentication in web applicaitons. The "AuthSub for web applications" doesn't seem to be the best mechanism for what I want to implement!
Any ideas on what to do?
Thank you
After playing with the google API and other video service providers API's I have learned a lot about authentication. oAuth and AuthSub are two methods that google uses to authenticate third party web applications to a user account.
The process may seem messy at first, but once you understand it, it is not too bad. The following image shows the AuthSub process.
http://code.google.com/apis/accounts/docs/AuthSub.html#AuthProcess
When you would request to be authenticated and the user signs in to his/her google account, before he/she grants your application permission to do stuff in their account, and if your domain has not been register with google, the user will get a nasty red box telling them to be careful because the app they are about to give access to is not registered with them.
The advantages about these methods over the old school username and password are (in my opinion) the following:
With all of these said I guess you can figure out why it would be a bad idea to use username and passwords (which is what the ClientLogin does) to connect to a user account. Other authentication methods allow you to do the same thing (request access) and add a bunch of advantages.
The code on how to authenticate users using AuthSub can be found here, it is pretty much plug n play. just make sure to save the $_SESSION['sessionToken'] to a more permanent location such as a DB.
http://code.google.com/apis/youtube/2.0/developers_guide_php.html#AuthSub_for_Web_Applications
ClientLogin is not the preferred mechanism here because your application is forced to handle the login credentials for the user. If the user's identity needs to be established for longer than a session, you'll be forced to store the credentials and this is non ideal -- compromise of your server would lead to the compromise fo Google users. Thus ClientLogin is not the right approach for your application.
Have you looked at Google OAuth? It solves the password handling problem pretty elegantly and is an established standard.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With