View
652
Download
3
Category
Tags:
Preview:
DESCRIPTION
Citation preview
Google Inc - All Rights Reserved
AdWords API - Using OAuth 2.0Advanced usage
Ray Tsang, Google, Inc.Danial Klimkin, Google, Inc.
Agenda
● Hopefully you are already using OAuth 2.0!
● Issue with unoptimized OAuth 2.0 requests
● Solutions
● Resources
Google Inc. - All Rights Reserved
RefresherOAuth 2.0????
Google Inc. - All Rights Reserved
ClientLogin is going away
You must migrate to OAuth 2.0 ASAP
ClientLogin is Going Away!
Google Inc. - All Rights Reserved
Secure○ Users enter their username/password in secure Google login page○ Third-party application won’t receive nor store the password○ Reduced impact if OAuth 2.0 access is compromised
More Control○ Restrict access via “scopes”○ User can revoke access at will
Standards driven○ RFC 6749○ Used by many large service providers, including Google
Why OAuth 2.0?
Google Inc. - All Rights Reserved
Already using OAuth 2.0?Great to hear! Watch out for some common issues
Google Inc. - All Rights Reserved
Access Token Expiration
Anticipate the possibility that a granted token might no longer work
○ The access token has expired (expires_in value)○ The user has revoked access○ The account has exceeded a certain number of active token
for the same application
Google Inc. - All Rights Reserved
The refresh token expired if unused for six months.
25 refresh token limit per user per application○ When exceeded, oldest refresh token is quietly invalidated ○ no user-visible warning - your application need to handle this
You should only need one refresh token per user
Refresh Token Expiration
Google Inc. - All Rights Reserved
When an access token has expired or revoked:
AuthenticationError.OAUTH_TOKEN_INVALID
Cause: access token expiredResolution: get a new access token with the refresh token
AuthenticationError.INVALID_GRANT_ERRORCause: access revokedResolution: re-authorize via the authorization URL (the consent screen)
Common Errors
Google Inc. - All Rights Reserved
Revoking Access
Google Inc. - All Rights Reserved
Rate Limits
There is a rate limit for obtaining the access token
QPS may change over time based on different conditions
Beware in multi-threaded and/or multi-server environment
Be ready for it in Production!
Google Inc. - All Rights Reserved
Multithreaded Environment
Client Application
Thread 1
Thread 2
Thread N
.
.
.
I have a refresh token, I need an access token!
I have a refresh token, I need an access token!
I have a refresh token, I need an access token!
Google Inc. - All Rights Reserved
Multi-Server / Multi-Process Environment
Client Application
.
.
.
I have a refresh token, I need an access token!
I have a refresh token, I need an access token!
I have a refresh token, I need an access token!
Client Application
Client Application
Google Inc. - All Rights Reserved
Client ApplicationClient Application
Put Them Together
Client Application
Thread 1
Thread 2
Thread N
.
.
.
Google Inc. - All Rights Reserved
What’s Your Platform Like?
.Net
Google Inc. - All Rights Reserved
Sharing the access tokenSharing is caring
Google Inc. - All Rights Reserved
Share the token and the expiration time
Access token
Calculated expiration time
12
6
39
T1
expires_in
Te
Google Inc. - All Rights Reserved
Multithreaded platforms can share data among threads
Must be thread-safe
Use the singleton pattern
Use a Singleton
Credential object in Java can be shared
Google Inc. - All Rights Reserved
Minimize Access Token Requests
Client Application
Thread 1
Thread 2
Thread N
.
.
.
I have a refresh token, I need an access token!
I’ll re-use the Credential
I’ll re-use the Credential
Google Inc. - All Rights Reserved
Minimize the number of initial access token requests is half the problem
When access token expires - minimize refresh requests!
Handling Expiration
Credential object in Java handles expiration
Google Inc. - All Rights Reserved
Use a shared storage○ In-memory: Memcached, Infinispan, Ehcache, ...○ Persistent: RDBMS, MongoDB, …
Store securely!
Don’t forget to check for expirations
Use Shared storage
Google Inc. - All Rights Reserved
Using a Shared Storage
Client Application
.
.
.
Client Application
Shared Storage
1. Check if unexpired access token is already in the shared storage
Client Application 2. If expired, use the refresh token
to get an access token
3. Write the credential back to the shared storage
4. Check if unexpired access token
is already in the shared storage
Google Inc. - All Rights Reserved
Worst case scenario: All processes simultaneously read expired access token from the shared storage
● Avoid race conditions● Eagerly refresh stored credentials before it expires
○ e.g., If access token expires in 1 hr, refresh in 45 minutes
Proactive Refresh
Make sure server clocks are in sync (use NTP)
Google Inc. - All Rights Reserved
Proactive Refresh
Client ApplicationShared Storage
Check if unexpired access token is already in the shared storage
Periodic Refresher1. Use the refresh token to get a new access token
2. Write the credential back to
the shared storage
Google Inc. - All Rights Reserved
Centralize OAuth 2.0 access token management○ Retrieval○ Refresh○ Storage
Service-oriented approach
OAuth 2.0 Token Management Server
Example - OAuth 2.0 Key Cache
Google Inc. - All Rights Reserved
Using a Token Management Server
Client Application Token Mgmt Server1. I need the access token
2. Here you go!
Oops!
Expire
d, let
me f
etch
anoth
er on
e.
Google Inc. - All Rights Reserved
Refresh token and access token = Credentials
Store them securely!
Last Note - Security!
Google Inc. - All Rights Reserved
Resources
Download links
AdWords API OAuth 2.0 GuideOptimizing OAuth 2.0 Requests for AdWords APIGoogle OAuth 2.0 Documentation
Google Inc. - All Rights Reserved
Questions?
Google Inc. - All Rights Reserved
Recommended