How to get Google TokenAuth working?

Question

I'm developing a youtube upload application and have some troubles with a specific part of authentication. ClientLogin so far, works and uploads are received by Youtube. However I have to redirect my users logged in to the Youtube-Frontpage. I've noticed that there's a possibility to login to gmail via a url: accounts.google.com/TokenAuth?auth=.... This should be possible in the exact same way for youtube. A login at "gmail" will include the cookies I'd need for youtube login.

However, I'm not getting it to work. Which auth token do I have to use? I tried many, the one provided in the clientlogin response. I queried www.google.com/accounts/IssueAuthToken url (which gives me a token back, but I cannot login with it). For example what I've tried:

https://accounts.google.com/TokenAuth?auth=token-received-by-issueAuthToken&service=youtube&continue=http://youtube.com&source=googletalk

And:

https://accounts.google.com/TokenAuth?auth=token-received-by-issueAuthToken&service=mail&continue=http://mail.google.com/mail&source=googletalk

None of these seem to work. The Clientlogin authentication was done with "service=youtube" - is that the mistake?

I'd appreciate any information that can clarifiy my problem.

Regards, Dennis Fischer

Answer 1

So - well - I got this working finally. It took me some time because there is no real documentation. I'll explain how the requests work, you'll need to do 3 requests:

1st: Do a default clientLogin at google.com/accounts/ClientLogin Provide Email=emailadress&Passwd=Password&service=gaia as data, as well as any other parameter you want to add to clientLogin. You'll receive 3 Tokens, SID, LSID and Auth - you'll need SID and LSID only!

2nd: Do a request to google.com/accounts/IssueAuthToken Add paramters SID="Extracted SID"&LSID="Extracted LSID"&service=gaia to the URL. You'll receive an AuthToken which should start with these characters: "APh-...." If this is not the case your this request failed due to wrong parameters (most likely missing "service=gaia"). This token will be needed in your 3rd request.

3rd: Do a request to google.com/accounts/TokenAuth?auth="token received in step 2"&service="service where you want to authenticate, e.g. mail"&source="for example googletalk"&continue="the url where you're redirected to, this is http://mail.google.com/mail for service mail"

This 3rd request is most likely done in a browser. Congratulations, you logged in a user into his google account with 2-Step Auth. You don't need the "real password", the application specific password is enough to generate these tokens.

Regards, Dennis Fischer