After playing with the google API and other video service providers API's I have learned a lot about authentication. oAuth and AuthSub are two methods that google uses to authenticate third party web applications to a user account.
The process may seem messy at first, but once you understand it, it is not too bad. The following image shows the AuthSub process.
- When the web application needs to access a user's Google service, it makes an AuthSub call to Google's Authorization Proxy service.
- The Authorization service responds by serving up an Access Request page. This Google-managed page prompts the user to grant/deny access to their Google service. The user may first be asked to log into their account.
- The user decides whether to grant or deny access to the web application. If the user denies access, they are directed to a Google page rather than back to the web application.
- If the user grants access, the Authorization service redirects the user back to the web application. The redirect contains an authorization token good for one use; it can be exchanged for a long-lived token.
- The web application contacts the Google service with a request, using the authorization token to act as an agent for the user.
- If the Google service recognizes the token, it supplies the requested data.
http://code.google.com/apis/accounts/docs/AuthSub.html#AuthProcess
When you would request to be authenticated and the user signs in to his/her google account, before he/she grants your application permission to do stuff in their account, and if your domain has not been register with google, the user will get a nasty red box telling them to be careful because the app they are about to give access to is not registered with them.
The advantages about these methods over the old school username and password are (in my opinion) the following:
- Enhanced security for the user: The user won't have to give you their user name and password, they have to log in to google and you will get an access token that you will use to make any further API calls. The user can revoke access to your application from inside google if they want to.
- The process may give the user the assurance that your app is "Legit". If a user has to go through google to log in and allow your app, it may look good if your domain has been registered with google.
- The token can be promoted to a session token: This means that you do not have to ask the user to log in every time you need to request access to the google user account, just use the session token (that you must securely save somewhere) and you are done.
- Once you understand the process it is quite simple to authenticate users.
- (unverified) If the user changes their password, you don't have to update the security token.
- Lastly if you use oAuth you can create an interface that may allow you to easily authenticate users when connecting to other web services such as Vimeo!
With all of these said I guess you can figure out why it would be a bad idea to use username and passwords (which is what the ClientLogin does) to connect to a user account. Other authentication methods allow you to do the same thing (request access) and add a bunch of advantages.
The code on how to authenticate users using AuthSub can be found here, it is pretty much plug n play. just make sure to save the $_SESSION['sessionToken'] to a more permanent location such as a DB.
http://code.google.com/apis/youtube/2.0/developers_guide_php.html#AuthSub_for_Web_Applications