AdWords API and OAuth 2.0

AdWords API & OAuth 2.0
Life after ClientLogin

Google Confidential and Proprietary

Ch-Ch-Ch-Changes

Changes are coming for
authentication of your applications.


How it works today:

1. Your app talks to authentication servers (blah blah blah)
a. Your app gets an access token (AuthToken)

2. Your app talks to the AdWords API servers
a. Passes in Developer Key and access token
b. Your app has to periodically re-authenticate.

Today: blah blah blah is called ClientLogin


How it will work in the new world:

1. Your app talks to authentication servers (wah wah wah)
a. Your app gets an access token.

2. Your app talks to the AdWords API servers
a. Passes in Developer Key and access token
b. Your app has to periodically re-authenticate.

New: wah wah wah is done with OAuth 2.0


DON'T PANIC!

● This shouldn't be a big deal for you.

● Will improve the security of your applications and data.


What's wrong with ClientLogin?

● Exposes username/passwords for MCC and client
accounts.

● AuthTokens duration 2 weeks
○ No way to revoke issued tokens

● Sunset by 2015
○ Might be sooner
○ Deprecated since last year


Why OAuth 2.0?

● OAuth 2.0 More secure
○ Does not expose password/username
○ Only exchange OAuth tokens
● More specific access control
○ Tokens can have restricted scope on data
○ Can easily revoke a token
○ Reduced impact if token compromised
● No CAPTCHA challenges.
● Have learned a lot from the mess of OAuth 1.0


Using OAuth 2.0

Your Key Steps

1. Registering the OAuth application

2. Authenticating to get access token (AuthToken) and refresh token.

3. Call the AdWords API with the access token.

4. Handle token expiration.


Using OAuth 2.0

Step 1: Registering

Go to:
https://code.google.com/apis/console
and create a new project


Google APIs Console


Using OAuth 2.0


Using OAuth 2.0

Step 2: Coding for OAuth 2.0

● Are you using the client libraries?
● Most are already up to date
○ Ruby
○ Java (new)
○ .NET
○ Python
○ Perl
● Rest will be coming soon


Using OAuth 2.0

Step 2: Coding by Hand

1. Send a request to the Google Authorization Server, with:
a. what you want access to - https://adwords.google.
com/api/adwords
b. and the client_id and the client_secret

2. Next step requires actual user interact with a Google webpage, that
allows you to:
a. login with your MCC or client account credentials
b. authorize access to the given scope

3. This returns the accessToken and refreshToken to your app


Step 2: How to use the tokens returned

accessToken

● Access for ~ 1 hour

● Then expires



accessToken refreshToken

● Access for ~ 1 hour ● Regenerates accessTokens
● No user interaction required
● Then expires



accessToken refreshToken

● Access for ~ 1 hour ● Regenerates accessTokens
● No user interaction required
● Then expires
● Be sure to store it


Step 2 (by hand): Let's look at some code

(This code is available on the web, so don't worry if you
can't follow it all now.)
http://goo.gl/s6nmR


Sample code - authorize()
public Credential authorize() throws Exception {
// set up file credential store to save/load tokens
FileCredentialStore credentialStore =
new FileCredentialStore(
new File("~/Desktop/oauth.json"),JSON_FACTORY);
// set up authorization code flow
...

// actually authorize
...
}


FileCredentialStore credentialStore =
new FileCredentialStore(
new File("~/Desktop/oauth.json"),JSON_FACTORY);

GoogleAuthorizationCodeFlow flow = new
GoogleAuthorizationCodeFlow
.Builder(HTTP_TRANSPORT, JSON_FACTORY,
CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE)
.setCredentialStore(credentialStore)
.build();

...
}

...

GoogleAuthorizationCodeFlow flow = new
GoogleAuthorizationCodeFlow
.Builder(HTTP_TRANSPORT, JSON_FACTORY,
CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE)
.setCredentialStore(credentialStore)
.build();

return new AuthorizationCodeInstalledApp(
flow, new LocalServerReceiver())
.authorize("user");
}

Sample code - connect()
// Construct AdWordsSession object
AdWordsSession session =
new AdWordsSession
.Builder()
.fromFile()
.withOAuth2Credential(credential)
.build();

// Construct AdWordsServices object
AdWordsServices adWordsServices = new AdWordsServices();


Futher Info

Authentication Flows: You've got choices

● Web Server Flow
○ Consent: Browser for consent
○ Response: Redirects user to callback endpoint

● Installed App Flow
○ Consent: URL provided - user pastes into browser
○ Response: Display code - user paste into app
OR
○ Consent: URL Provided - in app browser
○ Response: Captures code - app returns to auth server

User Interaction | Programmatic


Further Info

OAuth 2.0 Best Practices

● Use the refreshToken only on accessToken expiry

● Store the refreshToken for re-use
○ To reduce user interaction

● Officially clientCustomerId needed only for reports
○ Recommended for all


Coding by Hand: Handling Expired Tokens

● What? I need to handle token expirations?

● Theoretically, you should be able to restart requests
today!
○ ClientLogin auth tokens can time out.
○ Server calls can fail in a way that suggest you should
retry.


Further Info

Coding by Hand: Error Handling

● Error: AuthenticationError.OAUTH_TOKEN_INVALID
○ On: accessToken expired
○ Resolution: use refreshToken

● Error: AuthenticationError.INVALID_GRANT_ERROR
○ On: accessToken revoked
○ Resolution: re-auth app with user consent


Summary

● Change is coming

● Shouldn't be a big deal

○ Will actually improve your app security

● Client library users should be ready to go now or soon.


Resources

Docs Links:

https://developers.google.com/accounts/docs/OAuth2

Register app, get client_id & client_secret:

https://code.google.com/apis/console

Java Sample Code:

http://goo.gl/s6nmR


AdWords API and OAuth 2.0

More Related Content

Similar to AdWords API and OAuth 2.0 (20)

More from marcwan (20)

Recently uploaded (20)

AdWords API and OAuth 2.0