Home > Mobile >  OAuth : remove third party access
OAuth : remove third party access

Time:04-11

I am a student working on a web app that allows users to upload videos to their youtube channel. It is working great, but I would like the users to be able to revoke that access if they want to.

For now, I am only deleting the user's access token from the database, but the app is still showing in the user's Google "Apps with access to your account" page... Is there a way to revoke that access without the user having to manually go to that page and click on the "Remove access" button?

Here is an example of manual access removal. I would simply like to have such a "remove access" button in my web app that would do the same. Is there a way?

Thanks for your help!

CodePudding user response:

Take the access token you have for the user and just send a request to the revoke endpoint. It will remove the users access to your app.

curl -d -X -POST --header "Content-type:application/x-www-form-urlencoded" \
        https://oauth2.googleapis.com/revoke?token={token}

Assuming you are using the Google api .net client library there should be a revoke method already

 UserCredential cred = await GoogleWebAuthorizationBroker.AuthorizeAsync(
            Helper.GetClientSecretStream(), new string[] { "email" },
            "user", default, new NullDataStore());
        Assert.NotNull(cred);
        var accessToken = await cred.GetAccessTokenForRequestAsync();
        using (var f = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
        {
            ClientSecretsStream = Helper.GetClientSecretStream()
        }))
        {
            // Succeeds if no exception is thrown.
            await f.RevokeTokenAsync("a-user", accessToken, default);
            // Cannot verify revocation, as it takes in indeterminate duration to propagate.
        }
  • Related