google-api-java-client
google-api-java-client copied to clipboard
googleapis
Add Revoke Access Token Feature to the API
According to section III.D.2.c in the YouTube API Services - Developer Policies a program that uses the API must be able to programmatically revoke the access token to a user's channel. However, I am not able to find support for revoking access using the API. It took me a long time to find any documentation that shows how it can be done and it is at the very bottom of the page OAuth 2.0 for Mobile & Desktop Apps and shows an example using curl to http post the token to a specific url.
If it was not for the "programmatically" part we could just open the Google security settings page in the users default browser (easy using java.awt.Desktop) and let the user revoke it. The example of revoking linked above shows it can be done but leaves multiple challenges to all API users.
- Find that page in the first place.
- curl is a command line tool and not something built into Java so we need to find how to make http requests in Java
- The url showed in the example make it look like it is an http get but because of the "Content-type:application/x-www-form-urlencoded" header it is in fact a post request. It will make many developers confused before they figure that out, and then its probably more trouble to construct a post request than a get using what they found to solve the point above.
- I am doing everything else this far using the Java API and have not needed to dig up the actual token and do requests directly against YouTube. I am sure it can be retrieved in some way...
I think one of the purposes of the Java API is so we developers do not need to think about the token or manually build requests.
I have tried searching through the entire API after a revoke feature and the only thing I found is the comment "// We were unable to get a new access token (e.g. it may have been revoked)"
I think it should work something like this, where the focus is on what happens afterwards
public void onRevokeAccessClicked(ActionEvent actionEvent) {
try {
Credential creds = getAuthorizedUser();
boolean status = creds.RevokeAccess();
if (status) {
// change program state do "no user signed in"
// delete some stuff
} else {
// handle failure
}
} catch (RevokeAccessException e) {
// handle failure
}
actionEvent.consume();
}
compared to where the majority of the work is to send the request
public void onRevokeAccessClicked(ActionEvent actionEvent) {
try {
// extract token
// construct http client
// send request
boolean status = // parse response
if (status) {
// change program state do "no user signed in"
// delete some stuff
} else {
// handle failure
}
} catch (Exception e) {
// handle failure
}
actionEvent.consume();
}
```
