1. AdWords API & OAuth 2.0
Life after ClientLogin
Google Confidential and Proprietary
2. Ch-Ch-Ch-Changes
Changes are coming for
authentication of your applications.
Google Confidential and Proprietary
3. How it works today:
1. Your app talks to authentication servers (blah blah blah)
a. Your app gets an access token (AuthToken)
2. Your app talks to the AdWords API servers
a. Passes in Developer Key and access token
b. Your app has to periodically re-authenticate.
Today: blah blah blah is called ClientLogin
Google Confidential and Proprietary
4. How it will work in the new world:
1. Your app talks to authentication servers (wah wah wah)
a. Your app gets an access token.
2. Your app talks to the AdWords API servers
a. Passes in Developer Key and access token
b. Your app has to periodically re-authenticate.
New: wah wah wah is done with OAuth 2.0
Google Confidential and Proprietary
5. DON'T PANIC!
● This shouldn't be a big deal for you.
● Will improve the security of your applications and data.
Google Confidential and Proprietary
6. What's wrong with ClientLogin?
● Exposes username/passwords for MCC and client
accounts.
● AuthTokens duration 2 weeks
○ No way to revoke issued tokens
● Sunset by 2015
○ Might be sooner
○ Deprecated since last year
Google Confidential and Proprietary
7. Why OAuth 2.0?
● OAuth 2.0 More secure
○ Does not expose password/username
○ Only exchange OAuth tokens
● More specific access control
○ Tokens can have restricted scope on data
○ Can easily revoke a token
○ Reduced impact if token compromised
● No CAPTCHA challenges.
● Have learned a lot from the mess of OAuth 1.0
Google Confidential and Proprietary
8. Using OAuth 2.0
Your Key Steps
1. Registering the OAuth application
2. Authenticating to get access token (AuthToken) and refresh token.
3. Call the AdWords API with the access token.
4. Handle token expiration.
Google Confidential and Proprietary
9. Using OAuth 2.0
Step 1: Registering
Go to:
https://code.google.com/apis/console
and create a new project
Google Confidential and Proprietary
16. Using OAuth 2.0
Step 2: Coding for OAuth 2.0
● Are you using the client libraries?
● Most are already up to date
○ Ruby
○ Java (new)
○ .NET
○ Python
○ Perl
● Rest will be coming soon
Google Confidential and Proprietary
17. Using OAuth 2.0
Step 2: Coding by Hand
1. Send a request to the Google Authorization Server, with:
a. what you want access to - https://adwords.google.
com/api/adwords
b. and the client_id and the client_secret
2. Next step requires actual user interact with a Google webpage, that
allows you to:
a. login with your MCC or client account credentials
b. authorize access to the given scope
3. This returns the accessToken and refreshToken to your app
Google Confidential and Proprietary
18. Step 2: How to use the tokens returned
accessToken
● Access for ~ 1 hour
● Then expires
Google Confidential and Proprietary
19. Step 2: How to use the tokens returned
accessToken refreshToken
● Access for ~ 1 hour ● Regenerates accessTokens
● No user interaction required
● Then expires
Google Confidential and Proprietary
20. Step 2: How to use the tokens returned
accessToken refreshToken
● Access for ~ 1 hour ● Regenerates accessTokens
● No user interaction required
● Then expires
● Be sure to store it
Google Confidential and Proprietary
21. Step 2 (by hand): Let's look at some code
(This code is available on the web, so don't worry if you
can't follow it all now.)
http://goo.gl/s6nmR
Google Confidential and Proprietary
22. Sample code - authorize()
public Credential authorize() throws Exception {
// set up file credential store to save/load tokens
FileCredentialStore credentialStore =
new FileCredentialStore(
new File("~/Desktop/oauth.json"),JSON_FACTORY);
// set up authorization code flow
...
// actually authorize
...
}
Google Confidential and Proprietary
23. Sample code - authorize()
public Credential authorize() throws Exception {
// set up file credential store to save/load tokens
FileCredentialStore credentialStore =
new FileCredentialStore(
new File("~/Desktop/oauth.json"),JSON_FACTORY);
// set up authorization code flow
GoogleAuthorizationCodeFlow flow = new
GoogleAuthorizationCodeFlow
.Builder(HTTP_TRANSPORT, JSON_FACTORY,
CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE)
.setCredentialStore(credentialStore)
.build();
// actually authorize
...
}
Google Confidential and Proprietary
24. Sample code - authorize()
public Credential authorize() throws Exception {
// set up file credential store to save/load tokens
...
// set up authorization code flow
GoogleAuthorizationCodeFlow flow = new
GoogleAuthorizationCodeFlow
.Builder(HTTP_TRANSPORT, JSON_FACTORY,
CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE)
.setCredentialStore(credentialStore)
.build();
// actually authorize
return new AuthorizationCodeInstalledApp(
flow, new LocalServerReceiver())
.authorize("user");
}
Google Confidential and Proprietary
25. Sample code - connect()
// Construct AdWordsSession object
AdWordsSession session =
new AdWordsSession
.Builder()
.fromFile()
.withOAuth2Credential(credential)
.build();
// Construct AdWordsServices object
AdWordsServices adWordsServices = new AdWordsServices();
Google Confidential and Proprietary
26. Futher Info
Authentication Flows: You've got choices
● Web Server Flow
○ Consent: Browser for consent
○ Response: Redirects user to callback endpoint
● Installed App Flow
○ Consent: URL provided - user pastes into browser
○ Response: Display code - user paste into app
OR
○ Consent: URL Provided - in app browser
○ Response: Captures code - app returns to auth server
User Interaction | Programmatic
Google Confidential and Proprietary
27. Further Info
OAuth 2.0 Best Practices
● Use the refreshToken only on accessToken expiry
● Store the refreshToken for re-use
○ To reduce user interaction
● Officially clientCustomerId needed only for reports
○ Recommended for all
Google Confidential and Proprietary
28. Coding by Hand: Handling Expired Tokens
● What? I need to handle token expirations?
● Theoretically, you should be able to restart requests
today!
○ ClientLogin auth tokens can time out.
○ Server calls can fail in a way that suggest you should
retry.
Google Confidential and Proprietary
29. Further Info
Coding by Hand: Error Handling
● Error: AuthenticationError.OAUTH_TOKEN_INVALID
○ On: accessToken expired
○ Resolution: use refreshToken
● Error: AuthenticationError.INVALID_GRANT_ERROR
○ On: accessToken revoked
○ Resolution: re-auth app with user consent
Google Confidential and Proprietary
30. Summary
● Change is coming
● Shouldn't be a big deal
○ Will actually improve your app security
● Client library users should be ready to go now or soon.
Google Confidential and Proprietary