Tuesday, December 11, 2012

ClientLogin using Google Accounts

Long-time readers might remember a blog post from a while back entitled “ClientLogin #FAIL”, in which we covered the myriad ways in which your ClientLogin authorization attempts might result in an error. Even though ClientLogin has been officially deprecated since April 2012, and even though we’ve been recommending that developers switch to OAuth 2 for longer than that, we know there are still a good number of legacy applications out there that still rely on ClientLogin.

If you are a developer of such an application, there’s another thing that you (and your users) will need to start watching out for: at some point in the future, we will start requiring that the username parameter passed to ClientLogin (i.e. what’s referred to as the Email= value in the ClientLogin request) correspond to the full email address of the Google Account that’s associated with an underlying YouTube channel. We’ve supported using Google Account email addresses with ClientLogin for many years now, ever since we started linking Google Accounts to YouTube channels, but old habits die hard, and many users still use YouTube usernames.

We haven’t yet determined a date for when we still stop supporting ClientLogin with YouTube usernames and will provide additional details when we know more about when it will take place. However, if you use ClientLogin, it’s not too early to start encouraging your application’s users to start providing their Google Account email addresses instead of their YouTube usernames when logging in. If you have the ability to update your existing application’s user interface, we recommend doing so to indicate that the username field should take a Google Account email address. If you have any online help materials or technical support for your software, update them to ensure that users know to provide their Google Account email address.

Users who log in via the YouTube.com web interface, or who go through the AuthSub, OAuth 1, or OAuth 2 web authorization flows will soon be required to use their Google Account email address instead of their YouTube username as well. This web-based transition will take place well before we deprecate YouTube usernames for ClientLogin, and it should be transparent to developers since Google controls the user interface for these flows. For more information, see this help center article.

As mentioned, we’ll have a follow-up post in coming months with more details about exactly when we’ll stop supporting YouTube usernames with ClientLogin. That post will also communicate the exact error message that ClientLogin will return when a YouTube username is used. We’d like to close with one more plea: ClientLogin is deprecated, and is technically inferior to OAuth 2 in a number of important ways. Our new Google APIs client libraries provide first-class OAuth 2 integration that developers can take advantage of in their new code, or back port to their existing code. You will be doing your users a service and making their accounts more secure by transitioning from ClientLogin to OAuth 2.


Update (June 2013): The change mentioned in this blog post is now in effect. Attempts to use ClientLogin with a YouTube username will result in HTTP 403 Forbidden responses, with Error=BadAuthentication in the response body.

Cheers,
Jeff Posnick, YouTube API Team