AdWords API and OAuth 2.0

Google Confidential and Proprietary

AdWords API & OAuth 2.0Life after ClientLogin


Changes are coming for authentication of your applications.

Ch-Ch-Ch-Changes


How it works today:

1. Your app talks to authentication servers (blah blah blah)a. Your app gets an access token (AuthToken)

2. Your app talks to the AdWords API serversa. Passes in Developer Key and access tokenb. Your app has to periodically re-authenticate.

Today: blah blah blah is called ClientLogin


How it will work in the new world:

1. Your app talks to authentication servers (wah wah wah)a. Your app gets an access token.

2. Your app talks to the AdWords API serversa. Passes in Developer Key and access tokenb. Your app has to periodically re-authenticate.

New: wah wah wah is done with OAuth 2.0


DON'T PANIC!

● This shouldn't be a big deal for you.

● Will improve the security of your applications and data.


● Exposes username/passwords for MCC and client accounts.

● AuthTokens duration 2 weeks○ No way to revoke issued tokens

● Sunset by 2015○ Might be sooner○ Deprecated since last year

What's wrong with ClientLogin?


● OAuth 2.0 More secure

○ Does not expose password/username

○ Only exchange OAuth tokens

● More specific access control

○ Tokens can have restricted scope on data

○ Can easily revoke a token

○ Reduced impact if token compromised

● No CAPTCHA challenges.

● Have learned a lot from the mess of OAuth 1.0

Why OAuth 2.0?


Your Key Steps

1. Registering the OAuth application

2. Authenticating to get access token (AuthToken) and refresh token.

3. Call the AdWords API with the access token.

4. Handle token expiration.

Using OAuth 2.0


Step 1: Registering

Go to:https://code.google.com/apis/console

and create a new project

Using OAuth 2.0


Google APIs Console


Google APIs Console


Google APIs Console


Google APIs Console


Google APIs Console


Using OAuth 2.0


Step 2: Coding for OAuth 2.0

● Are you using the client libraries?

● Most are already up to date

○ Ruby

○ Java (new)

○ .NET

○ Python

○ Perl

● Rest will be coming soon

Using OAuth 2.0


Step 2: Coding by Hand

1. Send a request to the Google Authorization Server, with:a. what you want access to - https://adwords.google.

com/api/adwordsb. and the client_id and the client_secret

2. Next step requires actual user interact with a Google webpage, that allows you to:a. login with your MCC or client account credentialsb. authorize access to the given scope

3. This returns the accessToken and refreshToken to your app

Using OAuth 2.0


accessToken

● Access for ~ 1 hour

● Then expires

Step 2: How to use the tokens returned


accessToken


● Then expires


refreshToken

● Regenerates accessTokens● No user interaction required


accessToken


● Then expires


refreshToken

● Regenerates accessTokens● No user interaction required

● Be sure to store it


Step 2 (by hand): Let's look at some code

(This code is available on the web, so don't worry if you can't follow it all now.)

http://goo.gl/s6nmR


public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow ...

// actually authorize ...}

Sample code - authorize()


public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY);

// set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build();

// actually authorize ...}



public Credential authorize() throws Exception { // set up file credential store to save/load tokens ...

// set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build();

// actually authorize return new AuthorizationCodeInstalledApp( flow, new LocalServerReceiver()) .authorize("user");}



// Construct AdWordsSession objectAdWordsSession session = new AdWordsSession .Builder()

.fromFile()

.withOAuth2Credential(credential)

.build();

// Construct AdWordsServices objectAdWordsServices adWordsServices = new AdWordsServices();

Sample code - connect()


Authentication Flows: You've got choices

● Web Server Flow○ Consent: Browser for consent○ Response: Redirects user to callback endpoint

● Installed App Flow○ Consent: URL provided - user pastes into browser○ Response: Display code - user paste into app

OR○ Consent: URL Provided - in app browser○ Response: Captures code - app returns to auth server

Futher Info

User Interaction | Programmatic


OAuth 2.0 Best Practices

● Use the refreshToken only on accessToken expiry

● Store the refreshToken for re-use○ To reduce user interaction

● Officially clientCustomerId needed only for reports

○ Recommended for all

Further Info


Coding by Hand: Handling Expired Tokens

● What? I need to handle token expirations?

● Theoretically, you should be able to restart requests today!○ ClientLogin auth tokens can time out.○ Server calls can fail in a way that suggest you should

retry.


Coding by Hand: Error Handling

Further Info

● Error: AuthenticationError.OAUTH_TOKEN_INVALID○ On: accessToken expired○ Resolution: use refreshToken

● Error: AuthenticationError.INVALID_GRANT_ERROR○ On: accessToken revoked○ Resolution: re-auth app with user consent


● Change is coming

● Shouldn't be a big deal

○ Will actually improve your app security

● Client library users should be ready to go now or soon.

Summary

Q&A


Docs Links:

https://developers.google.com/accounts/docs/OAuth2

Register app, get client_id & client_secret:

https://code.google.com/apis/console

Java Sample Code:

http://goo.gl/s6nmR

Resources

Technology

AdWords API and OAuth 2.0