I'm building a server-side web app for OAuth that requires access to a YouTube CMS via the YouTube Partner scope.
If that person has access to more then one CMS, the token generated by the OAuth process gives us access to every CMS that they have access to.
I'd like to limit the token's access to a single CMS that the user chooses, similar to them choosing a channel if they have multiple channels. But there does not appear to be a way to have Google's OAuth screen ask for a single CMS. We always end up with a token that gives us access to every CMS they have access to, which is more of a liability than I want.
Is it possible to either alter or influence the OAuth process so Google will ask the user which CMS they want to grant us access to?
It seems the only levers that can be pulled in influencing the behavior of the OAuth process are the authorization parameters. Out access type is offline, granular consent is enabled, and prompt is set to "consent."
Virtually even combination of parameters has been tried, and it doesn't affect the selection screen for granting access.
It is generally not possible to ask for a specific resource through the Google OAuth consent page, so if you want to add further restrictions beyond what the OAuth scope you selected offers, you will have to do the check on your own by calling the YouTube API and maintaining some ACL on your end.