Upload
marcwan
View
3.196
Download
3
Embed Size (px)
Citation preview
Google Confidential and Proprietary
AdWords API & OAuth 2.0Life after ClientLogin
Google Confidential and Proprietary
Changes are coming for authentication of your applications.
Ch-Ch-Ch-Changes
Google Confidential and Proprietary
How it works today:
1. Your app talks to authentication servers (blah blah blah)a. Your app gets an access token (AuthToken)
2. Your app talks to the AdWords API serversa. Passes in Developer Key and access tokenb. Your app has to periodically re-authenticate.
Today: blah blah blah is called ClientLogin
Google Confidential and Proprietary
How it will work in the new world:
1. Your app talks to authentication servers (wah wah wah)a. Your app gets an access token.
2. Your app talks to the AdWords API serversa. Passes in Developer Key and access tokenb. Your app has to periodically re-authenticate.
New: wah wah wah is done with OAuth 2.0
Google Confidential and Proprietary
DON'T PANIC!
● This shouldn't be a big deal for you.
● Will improve the security of your applications and data.
Google Confidential and Proprietary
● Exposes username/passwords for MCC and client accounts.
● AuthTokens duration 2 weeks○ No way to revoke issued tokens
● Sunset by 2015○ Might be sooner○ Deprecated since last year
What's wrong with ClientLogin?
Google Confidential and Proprietary
● OAuth 2.0 More secure
○ Does not expose password/username
○ Only exchange OAuth tokens
● More specific access control
○ Tokens can have restricted scope on data
○ Can easily revoke a token
○ Reduced impact if token compromised
● No CAPTCHA challenges.
● Have learned a lot from the mess of OAuth 1.0
Why OAuth 2.0?
Google Confidential and Proprietary
Your Key Steps
1. Registering the OAuth application
2. Authenticating to get access token (AuthToken) and refresh token.
3. Call the AdWords API with the access token.
4. Handle token expiration.
Using OAuth 2.0
Google Confidential and Proprietary
Step 1: Registering
Go to:https://code.google.com/apis/console
and create a new project
Using OAuth 2.0
Google Confidential and Proprietary
Google APIs Console
Google Confidential and Proprietary
Google APIs Console
Google Confidential and Proprietary
Google APIs Console
Google Confidential and Proprietary
Google APIs Console
Google Confidential and Proprietary
Google APIs Console
Google Confidential and Proprietary
Using OAuth 2.0
Google Confidential and Proprietary
Step 2: Coding for OAuth 2.0
● Are you using the client libraries?
● Most are already up to date
○ Ruby
○ Java (new)
○ .NET
○ Python
○ Perl
● Rest will be coming soon
Using OAuth 2.0
Google Confidential and Proprietary
Step 2: Coding by Hand
1. Send a request to the Google Authorization Server, with:a. what you want access to - https://adwords.google.
com/api/adwordsb. and the client_id and the client_secret
2. Next step requires actual user interact with a Google webpage, that allows you to:a. login with your MCC or client account credentialsb. authorize access to the given scope
3. This returns the accessToken and refreshToken to your app
Using OAuth 2.0
Google Confidential and Proprietary
accessToken
● Access for ~ 1 hour
● Then expires
Step 2: How to use the tokens returned
Google Confidential and Proprietary
accessToken
● Access for ~ 1 hour
● Then expires
Step 2: How to use the tokens returned
refreshToken
● Regenerates accessTokens● No user interaction required
Google Confidential and Proprietary
accessToken
● Access for ~ 1 hour
● Then expires
Step 2: How to use the tokens returned
refreshToken
● Regenerates accessTokens● No user interaction required
● Be sure to store it
Google Confidential and Proprietary
Step 2 (by hand): Let's look at some code
(This code is available on the web, so don't worry if you can't follow it all now.)
http://goo.gl/s6nmR
Google Confidential and Proprietary
public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow ...
// actually authorize ...}
Sample code - authorize()
Google Confidential and Proprietary
public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY);
// set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build();
// actually authorize ...}
Sample code - authorize()
Google Confidential and Proprietary
public Credential authorize() throws Exception { // set up file credential store to save/load tokens ...
// set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build();
// actually authorize return new AuthorizationCodeInstalledApp( flow, new LocalServerReceiver()) .authorize("user");}
Sample code - authorize()
Google Confidential and Proprietary
// Construct AdWordsSession objectAdWordsSession session = new AdWordsSession .Builder()
.fromFile()
.withOAuth2Credential(credential)
.build();
// Construct AdWordsServices objectAdWordsServices adWordsServices = new AdWordsServices();
Sample code - connect()
Google Confidential and Proprietary
Authentication Flows: You've got choices
● Web Server Flow○ Consent: Browser for consent○ Response: Redirects user to callback endpoint
● Installed App Flow○ Consent: URL provided - user pastes into browser○ Response: Display code - user paste into app
OR○ Consent: URL Provided - in app browser○ Response: Captures code - app returns to auth server
Futher Info
User Interaction | Programmatic
Google Confidential and Proprietary
OAuth 2.0 Best Practices
● Use the refreshToken only on accessToken expiry
● Store the refreshToken for re-use○ To reduce user interaction
● Officially clientCustomerId needed only for reports
○ Recommended for all
Further Info
Google Confidential and Proprietary
Coding by Hand: Handling Expired Tokens
● What? I need to handle token expirations?
● Theoretically, you should be able to restart requests today!○ ClientLogin auth tokens can time out.○ Server calls can fail in a way that suggest you should
retry.
Google Confidential and Proprietary
Coding by Hand: Error Handling
Further Info
● Error: AuthenticationError.OAUTH_TOKEN_INVALID○ On: accessToken expired○ Resolution: use refreshToken
● Error: AuthenticationError.INVALID_GRANT_ERROR○ On: accessToken revoked○ Resolution: re-auth app with user consent
Google Confidential and Proprietary
● Change is coming
● Shouldn't be a big deal
○ Will actually improve your app security
● Client library users should be ready to go now or soon.
Summary
Q&A
Google Confidential and Proprietary
Docs Links:
https://developers.google.com/accounts/docs/OAuth2
Register app, get client_id & client_secret:
https://code.google.com/apis/console
Java Sample Code:
http://goo.gl/s6nmR
Resources