OAuth 2.0Life after ClientLogin                         Google Confidential and Proprietary
Agenda● Why migrate from ClientLogin?● What is OAuth 2.0?● Using OAuth 2.0   ○   Google APIs Console   ○   Web Server Flow...
Why migrate from ClientLogin?● Exposes username/passwords for MCC and client accounts.● AuthTokens duration 2 weeks   ○   ...
What is OAuth 2.0?Better than ClientLogin● More secure    ○   Does not expose password/username    ○   Only exchange OAuth...
What is OAuth 2.0?The Flow● Setting up access   ○   Mcc: Register Application● Using the Authentication   ○   Make token r...
What is OAuth 2.0?More info -https://developers.google.com/accounts/docs/OAuth2                                           ...
Using OAuth 2.0The Steps1. Create an project in Google APIs Console    a.   Generate the client_id and client_secret2. Use...
Google APIs ConsoleGo to https://code.google.com/apis/console and create a newproject          Google APIs Console        ...
Google APIs ConsoleYou might need to register a Redirect URI, depending on how youwant to use the clientlibs        Google...
Google APIs ConsoleThen create your OAuth 2.0 client_id and client_secret, whichyou will need to make OAuth 2.0 calls.    ...
Web Server FlowBasic coding steps1. Send a request to the Google Authorization Server, with:    a.   scope - https://adwor...
Basic coding steps       accessToken● Access for ~ 1 hour● Then expires                        Google Confidential and Pro...
Basic coding steps       accessToken            refreshToken● Access for ~ 1 hour   ● Regenerates accessTokens            ...
Basic coding steps       accessToken              refreshToken● Access for ~ 1 hour   ● Regenerates accessTokens          ...
Sample code - authorize()public Credential authorize() throws Exception {  // set up file credential store to save/load to...
Sample code - authorize()public Credential authorize() throws Exception {  // set up file credential store to save/load to...
Sample code - authorize()public Credential authorize() throws Exception {  // set up file credential store to save/load to...
Sample code - connect()// Construct AdWordsSession objectAdWordsSession session =  new AdWordsSession   .Builder()   .from...
Futher InfoInstalled App Flow and Web Server Flow● Web Server Flow   ○   Constent: Browser for consent   ○   Response: Red...
Further InfoOAuth 2.0 Best Practices● Use the refreshToken only on expiry● Store the refreshToken for re-use   ○   To redu...
Further InfoToken expiration and refresh● Error: AuthenticationError.OAUTH_TOKEN_INVALID   ○   On: accessToken expired   ○...
Q&A
ResourcesDocs Links:https://developers.google.com/accounts/docs/AuthForInstalledAppshttps://developers.google.com/accounts...
Upcoming SlideShare
Loading in …5
×

OAuth 2.0

1,795 views
1,544 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,795
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
51
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OAuth 2.0

  1. 1. OAuth 2.0Life after ClientLogin Google Confidential and Proprietary
  2. 2. Agenda● Why migrate from ClientLogin?● What is OAuth 2.0?● Using OAuth 2.0 ○ Google APIs Console ○ Web Server Flow● A code example● Further Info● Q&A Google Confidential and Proprietary
  3. 3. Why migrate from ClientLogin?● Exposes username/passwords for MCC and client accounts.● AuthTokens duration 2 weeks ○ No way to revoke issued tokens● Sunset by 2015 ○ Might be sooner ○ Deprecated since last yearMore info -https://developers.google.com/accounts/docs/AuthForInstalledApps Google Confidential and Proprietary
  4. 4. What is OAuth 2.0?Better than ClientLogin● More secure ○ Does not expose password/username ○ Only exchange OAuth tokens● More specific access control ○ Tokens can have restricted scope on data ○ Can easily revoke a token ○ Reduced impact if token compromised● No CAPTCHA challenges. Google Confidential and Proprietary
  5. 5. What is OAuth 2.0?The Flow● Setting up access ○ Mcc: Register Application● Using the Authentication ○ Make token request ■ Ask for users consent ○ Exchange code for access token ■ Save the refresh token ○ Call the API● When a token expires ○ Refresh the access token User Interaction | Programmatic Google Confidential and Proprietary
  6. 6. What is OAuth 2.0?More info -https://developers.google.com/accounts/docs/OAuth2 Google Confidential and Proprietary
  7. 7. Using OAuth 2.0The Steps1. Create an project in Google APIs Console a. Generate the client_id and client_secret2. Use client lib to access OAuth 2.0 "Web Server Flow"3. Save the refreshToken4. Use the accessToken to make API calls5. When the accessToken expires, re-use the refreshToken to get more accessTokens Google Confidential and Proprietary
  8. 8. Google APIs ConsoleGo to https://code.google.com/apis/console and create a newproject Google APIs Console Google Confidential and Proprietary
  9. 9. Google APIs ConsoleYou might need to register a Redirect URI, depending on how youwant to use the clientlibs Google APIs Console Google Confidential and Proprietary
  10. 10. Google APIs ConsoleThen create your OAuth 2.0 client_id and client_secret, whichyou will need to make OAuth 2.0 calls. Google Confidential and Proprietary
  11. 11. Web Server FlowBasic coding steps1. Send a request to the Google Authorization Server, with: a. scope - https://adwords.google.com/api/adwords b. the client_id2. This opens a browser, with a Google webpage, that allows you to: a. login with your MCC or client account credentials b. authorize access to the given scope3. This returns the accessToken and refreshToken to your appMore info -https://developers.google.com/accounts/docs/OAuth2WebServer Google Confidential and Proprietary
  12. 12. Basic coding steps accessToken● Access for ~ 1 hour● Then expires Google Confidential and Proprietary
  13. 13. Basic coding steps accessToken refreshToken● Access for ~ 1 hour ● Regenerates accessTokens ● No user interaction● Then expires User Interaction | Programmatic Google Confidential and Proprietary
  14. 14. Basic coding steps accessToken refreshToken● Access for ~ 1 hour ● Regenerates accessTokens ● No user interaction● Then expires ● Be sure to store it User Interaction | Programmatic Google Confidential and Proprietary
  15. 15. Sample code - authorize()public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow ... // actually authorize ...} Google Confidential and Proprietary
  16. 16. Sample code - authorize()public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build(); // actually authorize ...} Google Confidential and Proprietary
  17. 17. Sample code - authorize()public Credential authorize() throws Exception { // set up file credential store to save/load tokens ... // set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build(); // actually authorize return new AuthorizationCodeInstalledApp( flow, new LocalServerReceiver()) .authorize("user");} Google Confidential and Proprietary
  18. 18. Sample code - connect()// Construct AdWordsSession objectAdWordsSession session = new AdWordsSession .Builder() .fromFile() .withOAuth2Credential(credential) .build();// Construct AdWordsServices objectAdWordsServices adWordsServices = new AdWordsServices(); Full sample code can be found here - http://goo.gl/s6nmR Google Confidential and Proprietary
  19. 19. Futher InfoInstalled App Flow and Web Server Flow● Web Server Flow ○ Constent: Browser for consent ○ Response: Redirects user to callback endpoint● Installed App Flow ○ Consent: URL provided - user pastes into browser ○ Response: Display code - user paste into app OR ○ Consent: URL Provided - in app browser ○ Response: Captures code - app returns to auth server User Interaction | Programmatic Google Confidential and Proprietary
  20. 20. Further InfoOAuth 2.0 Best Practices● Use the refreshToken only on expiry● Store the refreshToken for re-use ○ To reduce user interaction● clientCustomerId only for reports ○ Recommended for all Google Confidential and Proprietary
  21. 21. Further InfoToken expiration and refresh● Error: AuthenticationError.OAUTH_TOKEN_INVALID ○ On: accessToken expired ○ Resolution: use refreshToken● Error: AuthenticationError.INVALID_GRANT_ERROR ○ On: accessToken revoked ○ Resolution: re-auth app with user consent User Interaction | Programmatic Google Confidential and Proprietary
  22. 22. Q&A
  23. 23. ResourcesDocs Links:https://developers.google.com/accounts/docs/AuthForInstalledAppshttps://developers.google.com/accounts/docs/OAuth2https://developers.google.com/accounts/docs/OAuth2WebServerRequest client_id & client_secret:https://code.google.com/apis/consoleCode:http://goo.gl/s6nmR Google Confidential and Proprietary

×