Youtube: Best Practices for User Authentication

By now, many of you have seen our recent announcement regarding 2-step verification for Google Accounts. It’s an optional way of protecting your Google Account from unauthorized access, providing a level of security beyond that of a password alone. The initial announcement did not detail the impact enabling 2-step verification has on programmatic account access from code written against one of Google’s official APIs. We want to go into some more detail regarding the implications of 2-step verification on various authentication (and authorization) techniques, and offer best practices that you as a developer should follow.

There are three forms of authentication supported by almost all of Google’s APIs. AuthSub andOAuth (either version 1 or the newer OAuth 2) are similar web-based authentication mechanisms in which the user logs in on a web page hosted by Google. The other approach to authentication, ClientLogin, relies on your application soliciting the user’s account address and password, and then sending that information to Google.

If your code uses AuthSub or OAuth, then you don’t have to do anything special to accommodate users who have opted-in to 2-step verification. The web-based login flow currently allows users to enter both their normal passwords as well as the additional verification code, and this extra step is transparent to you as the developer.

ClientLogin, however, does not fare as well for accounts that have 2-step verification enabled. There is no concept of an additional verification code in the ClientLogin process, and a user’s account address and password are no longer sufficient for authenticating them once 2-step verification is turned on. If you make a ClientLogin authentication request for such an account, you’ll get back an HTTP 403 error response from our servers with the following in error included in the response body:


Error=BadAuthentication
Info=InvalidSecondFactor

There are two solutions to these failed ClientLogin attempts. The first solution, which does not require changing any existing code, is to ask your users to generate an application-specific password and to provide that, instead of their Google Account passwords, when making your ClientLogin request. You can point your users to this article for a full explanation of how application-specific passwords work.

The second, and recommended, solution requires some work on your part as a developer: moving away from ClientLogin completely, in favor of OAuth 2. If your code runs as part of a web application, then OAuth 2’s web-based login flow is trivial to integrate. Even applications that are installed on a user’s computer or other device can leverage OAuth 2, though. This guide explains how to launch a web browser to handle the login process, and then redirect control back to your application.

While it may take some effort to migrate your code away from ClientLogin, your users will be grateful that you did. Even those who haven’t enabled 2-step verification will benefit from entering their credentials on a web page accessed via HTTPS and hosted by Google, as opposed to sharing their password information directly with your third party code.

By Jeffrey Posnick, Google Developer Relations

Coming soon: The YouTube Symphony Orchestra 2011 Grand Finale live

What began with auditions from around the world uploaded to YouTube, millions of video views, and hours of rehearsals, finally comes to life this Sunday, March 20. It has been an extraordinary experience for the 101 winning musicians of the YouTube Symphony Orchestra, and in just a couple of days their collaborative experience will come to life at Sydney Opera House.

Here’s a preview of what’s to come:

The week-long YouTube Symphony Orchestra 2011 festival includes musical collaboration between orchestra members and world-class mentors, outdoor performances, local Aussie experiences, ensemble concerts and more. In just a few days, the creativity and technology that have powered this journey will literally light up Sydney Opera House—with animated visuals on the interior and exterior projections on the iconic sails, all synchronised to the music of the YouTube Symphony Orchestra 2011’s performance.

You’re invited to experience this wonderful event, whether you’re inside Sydney Opera House, out around Sydney Harbour, or watching from your computer elsewhere in the world. The Grand Finale will be live-streamed on youtube.com/symphony beginning at 8:00pm Australian Eastern Standard time, and rebroadcast until the concert performance is uploaded in full, so tune in on Sunday, March 20.

Posted by Ernesto Soriano III, YouTube Australia

YouTube Highlights 3/3/2011

David Cameron and John Boehner on YouTube
In YouTube World View’s second interview, YouTube and Al Jazeera English sat down with British Prime Minister David Cameron. Ten thousand people submitted questions, and in the interview, the Prime Minister shared his thoughts on what should be done in Libya, and talked about increased taxes for banks in the U.K. and Britain’s role in Afghanistan.

And as the budget debate rages on the U.S. Capitol Hill, we asked viewers from across the U.S. and around the world to submit questions to Speaker of the House John Boehner (R-OH). The final interview will be posted to YouTube on Friday, March 4.

We’ll have another interview in the coming weeks—check YouTube World View for more details soon.

Join us on YouTube for Carnaval in Brazil
An estimated 100 million people travel to Brazil each year to experience Carnaval, the iconic celebration on the streets of Salvador, Bahia. This year, you can join the festivities on the Carnaval YouTube channel via computer or mobile phone. Watch live feeds of Salvador’s multi-day street fest from Thursday, March 3 through Tuesday, March 8. If you’re lucky enough to be there in person, find out how to buy a pass to Google’s street-side camarote (cabin) at the celebration at www.youtube.com/carnaval.

February’s “On The Rise” winner
After tens of thousands of votes, D-trix from theDOMINICshow has been named February’s “On The Rise” contest winner. He beat out tornado chasers, graphic artists and pop stars for the honor. When D-trix isn’t spoofing Justin Bieber, he’s dancing or teaching people how to rap. Congratulations!

Making YouTube seven times faster
To help you better enjoy all the great content that’s uploaded to YouTube every minute, we recently increased speed for uploads and playback. Google’s cloud computing capabilities help us process videos in chunks on different machines—making our video-processing seven times faster than in 2008.

Ad Blitz winner
Super Bowl ads are always a big draw of the game. This year, we added Super Bowl spots to the Ad Blitz gallery so you could vote for your favorites. More than 2.7 million votes were cast, and 3.5 million views took place on mobile devices. This year’s winner, Chrysler, was featured on the YouTube masthead for the Saturday following the game.

This week’s trends on YouTube
Here are a few recent highlights from YouTube Trends:

Posted by Serena Satyasai, Marketing Manager, The YouTube Team Permalink

HTTPS Support for YouTube Embeds

HTTPS,
the secure counterpart to HTTP, wraps a layer of encryption around the
information traveling between your computer and a web server. YouTube
already uses HTTPS to encrypt sensitive data during the account login
process. Now we’re planning a gradual expansion of HTTPS across other
aspects of the site. The first place you may see HTTPS YouTube URLs is
in our various embed codes, all of which currently support HTTPS in
addition to the standard HTTP. Anyone can try HTTPS with YouTube embeds
today—simply change the protocol portion of the URL from http to https. For example, http://www.youtube.com/embed/Zhawgd0REhA becomes https://www.youtube.com/embed/Zhawgd0REhA. This applies to URLs found in our newer <iframe> embeds as well as our older-style <object> + <embed> codes.
If
any of your existing code attempts to parse YouTube embed URLs that are
entered by end-users, it’s important that you support both HTTP and
HTTPS as the URL’s protocol across all the varieties of YouTube embed
codes.

Most
web browsers will warn users when they access web pages via HTTPS that
contain embedded content loaded via HTTP. If your main site is currently
accessed via HTTPS, using the new HTTPS URLs for your YouTube embeds
will prevent your users from running into that warning. If your site can
be accessed either via HTTP or HTTPS, you could employ
protocol-relative URLs instead of hardcoding a value; //www.youtube.com/ will automatically resolve to HTTP or HTTPS depending on the protocol used by the host page.

It’s
very important to note that this is just a first step in enabling HTTPS
for the entire YouTube viewing experience. In particular, only the
YouTube player code is accessible via HTTPS at this time. The actual
video bitstream, and some additional content loaded by the YouTube
player may still be accessed via standard HTTP connections when you use
an HTTPS URL in your embed code. Also note that HTTPS remains optional
for YouTube embeds; we have no plans to turn off support for the HTTP
URLs.

If you have any comments or questions about this change, please let us know in the YouTube API developer’s forum.

Cheers,
–Jeff Posnick, YouTube API Team

YouTube Captions Uploader Web App

Captions can greatly enhance the experience of viewing a YouTube video, and the YouTube API has offered developers ways to upload and retrieve caption data in authorized requests for a while now. However, the various YouTube API client libraries
don’t natively support interacting with captions at this time, and
writing your own code for uploading or retrieving captions can be
challenging.

With that in mind, we’re happy to announce the YouTube Captions Uploader
open source project on Google Code, which provides real-world code for
uploading captions to YouTube. The code is written for the Java App
Engine environment, and it uses some nifty new App Engine features like
the
Channel API, the Blobstore Service, and Task Queues. And even if you’re not an App Engine developer, we hope that the code that interacts with the YouTube API’s captions service will provide a good starting point for writing your own code.

In addition to open sourcing the code for this project, we’re also running the code itself on a public App Engine instance, http://yt-captions-uploader.appspot.com/. So, even if you’re not a developer, you can still use the application to upload captions for videos in your YouTube account.

Please share your comments or feedback via the project’s issue tracker. We hope that you find it useful both as a standalone web application and as a starting point for writing your own code!

Cheers,
—Jeff Posnick, YouTube API Team

YouTube Comment Threading

YouTube has a new option that lets you group comments and their replies. It’s called “sort by thread” and it’s only available if you click “see all” next to the number of comments. The option is useful if you read a reply to a comment, but you can’t find the initial comment. Here’s an example.

Sterling, a reader who noticed this feature, says that “the comments on YouTube are a mess, so confusing, but it looks like YouTube is testing threaded comments on the site. I wish this feature was in the watchpage, but it only shows up in the All comments page.”


{ Thanks, Sterling. }

YouTube: Introducing JavaScript Player API for iframe embeds

If you have been enjoying our embed announced back in July we have some good news for you. Starting today, the <iframe> embed code is the default way to share videos on YouTube.com. We are also introducing an initial beta version of the <iframe> embed JavaScript Player API, making it a viable alternative for developers who previously used the API exposed by the ActionScript players. Let’s look at an example of the API usage:</p>
<!DOCTYPE HTML>
<html>
<body>
<div id=”player”></div>
<script>
//Load player api asynchronously.
var tag = document.createElement(‘script’);
tag.src = “http://www.youtube.com/player_api”;
var firstScriptTag = document.getElementsByTagName(‘script’)[0];
firstScriptTag.parentNode.insertBefore(tag, firstScriptTag);
var done = false;
var player;
function onYouTubePlayerAPIReady() {
player = new YT.Player(‘player’, {
height: ‘390’,
width: ‘640’,
videoId: ‘JW5meKfy3fY’,
events: {
‘onReady’: onPlayerReady,
‘onStateChange’: onPlayerStateChange
}
});
}
function onPlayerReady(evt) {
evt.target.playVideo();
}
function onPlayerStateChange(evt) {
if (evt.data == YT.PlayerState.PLAYING && !done) {
setTimeout(stopVideo, 6000);
done = true;
}
}
function stopVideo() {
player.stopVideo();
}
</script>
</body>
</html>

This example will play a video for several seconds and then stop playback. An instance of YT.Player is used to control the player, defined by script loaded from http://www.youtube.com/player_api . For more information about the API usage, as always, please consult our Player API documentation and let us know what you think on our Developer Forum.

Cheers,
-Jarek Wilkiewicz, on behalf of the YouTube Player Team

YouTube Highlights 1/20/11

Music videos now on YouTube app for Android
We’ve welcomed VEVO’s extensive library of official music videos from artists like Lady Gaga, Rihanna, Kanye West and U2 onto the YouTube 2.0 app for Android, available for mobile phones running Android 2.2 (Froyo). Enjoy!

Broken Social Scene goes live on YouTube
Earlier this week, Canada’s indie rock collective Broken Social Scene kicked off their Winter 2011 tour with a live performance at NYC’s Terminal 5. You can still catch the show on http://www.youtube.com/bowerypresents.

Your window into the 112th U.S. Congress
John Boehner, the new Speaker of the United States House, and House Oversight Committee Chairman Darrell Issa are making the activities of the House of Representatives more accessible to U.S. citizens via YouTube. Starting in this 112th Congress, all committee hearings of the House Oversight committee will be available on YouTube, on a new channel called HouseResourceOrg. This was made possible via a Google Project 10^100 grant made to Carl Malamud at PublicResource.org, who will be working with the House to access and upload all of the hearings that the Oversight Committee holds.

Meet the YouTube Symphony Orchestra 2011
The new members of the YouTube Symphony Orchestra 2011 have been selected: 101 people from more than 30 countries around the world are heading to Sydney Opera House to rehearse together for the first time under the conductorship of Michael Tilson Thomas. Come meet the winners and stay tuned for the final performance on Sunday, March 20, which will be streamed live to the world on YouTube.

A sneak peek at “Life in a Day”
In anticipation of the world premiere of “Life in a Day,” at the 2011 Sundance Film Festival next week, we’re releasing a series of clips between now and then. Life in a Day is a documentary film directed by Oscar-winner Kevin Macdonald, produced by Ridley Scott, and filmed on July 24, 2010 by thousands of YouTube users around the world. Watch the first teaser below.

Looking back at the best YouTube ads of 2010
2010 was a breakout year for online video advertising. Earning people’s attention has become ever more challenging—but that’s only making advertising more fun. Old Spice’s “The Man Your Man Could Smell Like” was ranked number one among YouTube ads in an informal poll of the YouTube advertising team and reporters in the industry. Find out what other ads topped last year’s list.

Until next time, visit the YouTube Blog for news and updates.

Posted by Serena Satyasai, Marketing Manager, The YouTube Team Permalink

New YouTube Homepage

Last month, YouTube tested a new homepage with many useful features. The new homepage is now available to everyone. The list of new features hasn’t changed, even though some of them have been slightly tweaked:

* Combined list – Merges your subscriptions, friend activity, and recommendations into one easier-to-scan list
* Don’t miss a video – If a channel uploads 4 videos in a day, you’ll see all 4 – instead of just the latest video
* Delete anything – Hover over any video you don’t want to watch and click ‘x’
* Or just grey it out – Videos you’ve already watched will be greyed out – so even without deleting, you’ll know where you left off
* Help me re-find stuff I just watched – Your homepage will include your recent likes and favorites so you can easily get back to them
* Easy inbox – Links to your inbox (personal messages & comments) are front and center
* Load much more – Watch older videos – all without leaving the homepage


If you don’t like the combined view, click on “subscription uploads” at the top of the page to only see the latest videos from your favorite channels. Unfortunately, the homepage is no longer customizable, so you can’t hide the sections you don’t use.

YouTube’s HTML5 Rickrolling

YouTube’s HTML5 interface has a very cool feature: if you right-click on a video, you’ll no longer see the boring contextual menu displayed by the browser that added uninteresting features like downloading videos. Instead, you’ll get a much more useful menu that sends you to Rick Astley’s “Never Gonna Give You Up” video.

Some would say that this trick reminds them of the sites that annoyed users by disabling browser features like the contextual menu so that people can’t save an image or copy some text. But that’s not what happens here: YouTube’s terms of use forbid users from downloading videos and the new menu solves this issue by offering a better option. After all, why download a video when you can listen to Rick Astley’s fabulous song?


There are at least two uncivil browsers (Firefox and Opera) that treat videos just like images and allow users to right-click on a video and download it. Firefox even lets you disable custom contextual menus for all sites, while Opera provides more granular options. There’s even a developer that breached YouTube’s terms of use by creating a Greasemonkey script with a strange name: Youtube HTML5 Beta “Save Video As” Unrickroller. Apparently, he lost his sense of humor or he’s not a Rick Astley fan.

I’m not going to use any of these features and I’ll switch to Internet Explorer, a browser that doesn’t offer a download option for videos (mostly because it doesn’t support HTML5 videos). Whenever I want to download a YouTube video, I’ll ignore all those scripts and tricks and I’ll read YouTube’s terms of use, while listening to Rick Astley’s song. They’re a perfect match.

“… You know the rules and so do I …”