Your SlideShare is downloading. ×
AdWords API and OAuth 2.0
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

AdWords API and OAuth 2.0

3,035
views

Published on

Published in: Technology

1 Comment
1 Like
Statistics
Notes
  • That API endpoint URL in Slide 17 appears to be wrong? When I use the AdWords API Library to get an authentication URL, it's at www.google.com/oauth2 - not specifically an AdWords API URL? And the flow is somewhat different for an 'Installed Application', which other Google documents describe as the recommended flow. And you don't seem to need a Client Secret for an 'Installed Application'. Given how much Slide 17 seems to diverge from what I can find out... how valid is the rest?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
3,035
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
26
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. AdWords API & OAuth 2.0Life after ClientLogin Google Confidential and Proprietary
  • 2. Ch-Ch-Ch-Changes Changes are coming forauthentication of your applications. Google Confidential and Proprietary
  • 3. How it works today:1. Your app talks to authentication servers (blah blah blah) a. Your app gets an access token (AuthToken)2. Your app talks to the AdWords API servers a. Passes in Developer Key and access token b. Your app has to periodically re-authenticate.Today: blah blah blah is called ClientLogin Google Confidential and Proprietary
  • 4. How it will work in the new world:1. Your app talks to authentication servers (wah wah wah) a. Your app gets an access token.2. Your app talks to the AdWords API servers a. Passes in Developer Key and access token b. Your app has to periodically re-authenticate.New: wah wah wah is done with OAuth 2.0 Google Confidential and Proprietary
  • 5. DONT PANIC!● This shouldnt be a big deal for you.● Will improve the security of your applications and data. Google Confidential and Proprietary
  • 6. Whats wrong with ClientLogin?● Exposes username/passwords for MCC and client accounts.● AuthTokens duration 2 weeks ○ No way to revoke issued tokens● Sunset by 2015 ○ Might be sooner ○ Deprecated since last year Google Confidential and Proprietary
  • 7. Why OAuth 2.0?● OAuth 2.0 More secure ○ Does not expose password/username ○ Only exchange OAuth tokens● More specific access control ○ Tokens can have restricted scope on data ○ Can easily revoke a token ○ Reduced impact if token compromised● No CAPTCHA challenges.● Have learned a lot from the mess of OAuth 1.0 Google Confidential and Proprietary
  • 8. Using OAuth 2.0Your Key Steps1. Registering the OAuth application2. Authenticating to get access token (AuthToken) and refresh token.3. Call the AdWords API with the access token.4. Handle token expiration. Google Confidential and Proprietary
  • 9. Using OAuth 2.0Step 1: Registering Go to: https://code.google.com/apis/console and create a new project Google Confidential and Proprietary
  • 10. Google APIs Console Google Confidential and Proprietary
  • 11. Google APIs Console Google Confidential and Proprietary
  • 12. Google APIs Console Google Confidential and Proprietary
  • 13. Google APIs Console Google Confidential and Proprietary
  • 14. Google APIs Console Google Confidential and Proprietary
  • 15. Using OAuth 2.0Google Confidential and Proprietary
  • 16. Using OAuth 2.0Step 2: Coding for OAuth 2.0● Are you using the client libraries? ● Most are already up to date ○ Ruby ○ Java (new) ○ .NET ○ Python ○ Perl ● Rest will be coming soon Google Confidential and Proprietary
  • 17. Using OAuth 2.0Step 2: Coding by Hand1. Send a request to the Google Authorization Server, with: a. what you want access to - https://adwords.google. com/api/adwords b. and the client_id and the client_secret2. Next step requires actual user interact with a Google webpage, that allows you to: a. login with your MCC or client account credentials b. authorize access to the given scope3. This returns the accessToken and refreshToken to your app Google Confidential and Proprietary
  • 18. Step 2: How to use the tokens returned accessToken● Access for ~ 1 hour● Then expires Google Confidential and Proprietary
  • 19. Step 2: How to use the tokens returned accessToken refreshToken● Access for ~ 1 hour ● Regenerates accessTokens ● No user interaction required● Then expires Google Confidential and Proprietary
  • 20. Step 2: How to use the tokens returned accessToken refreshToken● Access for ~ 1 hour ● Regenerates accessTokens ● No user interaction required● Then expires ● Be sure to store it Google Confidential and Proprietary
  • 21. Step 2 (by hand): Lets look at some code (This code is available on the web, so dont worry if you cant follow it all now.) http://goo.gl/s6nmR Google Confidential and Proprietary
  • 22. Sample code - authorize()public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow ... // actually authorize ...} Google Confidential and Proprietary
  • 23. Sample code - authorize()public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build(); // actually authorize ...} Google Confidential and Proprietary
  • 24. Sample code - authorize()public Credential authorize() throws Exception { // set up file credential store to save/load tokens ... // set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build(); // actually authorize return new AuthorizationCodeInstalledApp( flow, new LocalServerReceiver()) .authorize("user");} Google Confidential and Proprietary
  • 25. Sample code - connect()// Construct AdWordsSession objectAdWordsSession session = new AdWordsSession .Builder() .fromFile() .withOAuth2Credential(credential) .build();// Construct AdWordsServices objectAdWordsServices adWordsServices = new AdWordsServices(); Google Confidential and Proprietary
  • 26. Futher InfoAuthentication Flows: Youve got choices● Web Server Flow ○ Consent: Browser for consent ○ Response: Redirects user to callback endpoint● Installed App Flow ○ Consent: URL provided - user pastes into browser ○ Response: Display code - user paste into app OR ○ Consent: URL Provided - in app browser ○ Response: Captures code - app returns to auth server User Interaction | Programmatic Google Confidential and Proprietary
  • 27. Further InfoOAuth 2.0 Best Practices● Use the refreshToken only on accessToken expiry● Store the refreshToken for re-use ○ To reduce user interaction● Officially clientCustomerId needed only for reports ○ Recommended for all Google Confidential and Proprietary
  • 28. Coding by Hand: Handling Expired Tokens● What? I need to handle token expirations?● Theoretically, you should be able to restart requests today! ○ ClientLogin auth tokens can time out. ○ Server calls can fail in a way that suggest you should retry. Google Confidential and Proprietary
  • 29. Further InfoCoding by Hand: Error Handling● Error: AuthenticationError.OAUTH_TOKEN_INVALID ○ On: accessToken expired ○ Resolution: use refreshToken● Error: AuthenticationError.INVALID_GRANT_ERROR ○ On: accessToken revoked ○ Resolution: re-auth app with user consent Google Confidential and Proprietary
  • 30. Summary● Change is coming● Shouldnt be a big deal ○ Will actually improve your app security● Client library users should be ready to go now or soon. Google Confidential and Proprietary
  • 31. Q&A
  • 32. ResourcesDocs Links:https://developers.google.com/accounts/docs/OAuth2Register app, get client_id & client_secret:https://code.google.com/apis/consoleJava Sample Code:http://goo.gl/s6nmR Google Confidential and Proprietary