YouTube Engineering and Developers Blog: March 2011

Deprecating Equine-Frame Embedding

Thursday, March 31, 2011

Although equine-frame embedding of YouTube moving pictures was launched with great huzzabulloo a few short months ago, we regret that we can no longer recommend this horsey practice. While playback quality was smashing, bareback riding quality invariably suffered as a result of the large projector apparatus embedded in the horse’s frame.

As an alternative, we suggest a return to the traditional practice of affixing a portrait of your local constable to the mane of your steed for entertainment on-the-go. When your horse gallops, it will look like the officer is dancing the hully-gully.

Thankfully, progress doesn’t halt with a single setback. We are working closely with various motor-car manufactures, and hope to offer a preview of Model T-frame embedding in time for the next World’s Fair!

—Web-logged by Jeffrey Posnick, who does not suggest embedding anything in a horse that you might want back at a later date.

ClientLogin #FAIL

Wednesday, March 30, 2011

The YouTube API supports a number of authentication schemes—AuthSub, OAuth 1 and 2, and ClientLogin—but it’s that last method, ClientLogin, that is in many ways the most problematic. This blog post will cover some of the ways ClientLogin attempts can fail, and when possible, provide ways of working around those failures.

Before we get into that, though, a bit of a public service announcement: given all the ways that things can go wrong when using ClientLogin, please consider using one of the alternative methods of authentication that the YouTube API supports! AuthSub and in particular OAuth 2 are straightforward to implement and aren’t susceptible to the issues that we’ll cover with ClientLogin. Even if you’re writing a small script for personal use, obtaining one long-lived AuthSub or OAuth 2 token and reusing that for authentication is preferable to hardcoding a login name and password for ClientLogin. And just because your code doesn’t have access to a web browser doesn’t mean that ClientLogin is your only option—this guide covers techniques for using OAuth 2 in such scenarios.

With that out of the way, let’s investigate some failures!

Scenario 1: A user with an unlinked YouTube account attempts ClientLogin.
This scenario won’t actually lead to a failure as of right now, but it will in the near future. As was recently announced on the main YouTube blog, all YouTube accounts must be linked to a Google Account or else logins will start fail—the current plan is to disable logins for unlinked accounts towards the end of April. The only workaround is to have your users link their YouTube account to a Google Account. If they login from a web browser, either at www.youtube.com or using AuthSub/OAuth, they’ll be taken through the steps to link accounts. It’s important to note that while we are requiring linked accounts, we will continue to accept either a YouTube username or a Google Account email address as the Email parameter in the ClientLogin request.

Scenario 2: A user who has enabled to OpenID federated sign-in attempts ClientLogin.
Federerated sign-in using OpenID is a new method of authenticating Google Accounts that correspond to email addresses on specific email providers (currently Yahoo! and AOL). It is currently being offered on an opt-in basis, so for the time being, just because someone’s Google Account is associated with an @yahoo.com or @aol.com address does not mean that they are using Federated sign-in. For the users who have opted-in, ClientLogin will no longer work at all. With Federated sign-in, all login requests need to be processed by the identity provider, and Google’s ClientLogin servers cannot relay the credentials to a third-party server on the user’s behalf. Because AuthSub and both versions of OAuth are web-based, users can log in directly on the identity provider’s site and have that redirect back to Google’s servers to issue the appropriate AuthSub or OAuth token. Migrating off of ClientLogin to AuthSub or OAuth is the only way to provide authentication that works with OpenID accounts.

Scernario 3: A user who has enabled 2-step verification attempts ClientLogin.
This scenario, and the reasons why it will result in a failure, is covered in detail in an earlier blog post. The important takeaway is that a user with 2-step verification enabled needs to generate application-specific passwords for each application that requires ClientLogin, and provide that password instead of their normal Google Account password. Alternatively, using AuthSub or OAuth allows you users to log in using their two factor credentials directly, leading to a better user experience.

Scenario 4: A user encounters a CAPTCHA when attempting ClientLogin.
This is not a new failure scenario, but it’s often overlooked by developers who don’t properly handle it. The ClientLogin documentation includes recommendations for how your application should handle CAPTCHA responses from ClientLogin attempts. If you’re using AuthSub or OAuth, your application does not need to worry about logic for handling CAPTCHAs—it’s taken care of for you by the standard AuthSub and OAuth login process.

This may seem like an exhaustive list of failure scenarios, but as we continue to iterate on the login experience for YouTube and Google Accounts, chances are more “gotchas” will crop up in the future. We’ll do our best to keep our developer community informed, but the best way to future-proof your application is to stop using ClientLogin!

Update: A Google I/O 2011 session borrowed this blog post's title and covered similar material (though not YouTube-specific). Check out the ClientLogin #FAIL session's video embedded below:

—Jeffrey Posnick, YouTube API Team

Best Practices for User Authentication

Thursday, March 17, 2011

(Cross-posted from the Google Code blog.)

By now, many of you have seen our recent announcement regarding 2-step verification for Google Accounts. It’s an optional way of protecting your Google Account from unauthorized access, providing a level of security beyond that of a password alone. The initial announcement did not detail the impact enabling 2-step verification has on programmatic account access from code written against one of Google’s official APIs. We want to go into some more detail regarding the implications of 2-step verification on various authentication (and authorization) techniques, and offer best practices that you as a developer should follow.

There are three forms of authentication supported by almost all of Google’s APIs. AuthSub andOAuth (either version 1 or the newer OAuth 2) are similar web-based authentication mechanisms in which the user logs in on a web page hosted by Google. The other approach to authentication, ClientLogin, relies on your application soliciting the user’s account address and password, and then sending that information to Google.

If your code uses AuthSub or OAuth, then you don’t have to do anything special to accommodate users who have opted-in to 2-step verification. The web-based login flow currently allows users to enter both their normal passwords as well as the additional verification code, and this extra step is transparent to you as the developer.

ClientLogin, however, does not fare as well for accounts that have 2-step verification enabled. There is no concept of an additional verification code in the ClientLogin process, and a user’s account address and password are no longer sufficient for authenticating them once 2-step verification is turned on. If you make a ClientLogin authentication request for such an account, you’ll get back an HTTP 403 error response from our servers with the following in error included in the response body:

Error=BadAuthentication Info=InvalidSecondFactor

There are two solutions to these failed ClientLogin attempts. The first solution, which does not require changing any existing code, is to ask your users to generate an application-specific password and to provide that, instead of their Google Account passwords, when making your ClientLogin request. You can point your users to this article for a full explanation of how application-specific passwords work.

The second, and recommended, solution requires some work on your part as a developer: moving away from ClientLogin completely, in favor of OAuth 2. If your code runs as part of a web application, then OAuth 2’s web-based login flow is trivial to integrate. Even applications that are installed on a user’s computer or other device can leverage OAuth 2, though. This guide explains how to launch a web browser to handle the login process, and then redirect control back to your application.

While it may take some effort to migrate your code away from ClientLogin, your users will be grateful that you did. Even those who haven’t enabled 2-step verification will benefit from entering their credentials on a web page accessed via HTTPS and hosted by Google, as opposed to sharing their password information directly with your third party code.

By Jeffrey Posnick, Google Developer Relations

Engineering and Developers Blog

Deprecating Equine-Frame Embedding

ClientLogin #FAIL

Best Practices for User Authentication

Labels

Archive

Feed