Google Inc - All Rights Reserved
AdWords API - Using OAuth 2.0
Advanced usage
Ray Tsang, Google, Inc.
Danial Klimkin, Google, Inc.
Agenda
● Hopefully you are already using OAuth 2.0!
● Issue with unoptimized OAuth 2.0 requests
● Solutions
● Resources
Google Inc. - All Rights Reserved
Refresher
OAuth 2.0????
Google Inc. - All Rights Reserved
ClientLogin is going away
You must migrate to OAuth 2.0
ASAP
ClientLogin is Going Away!
Google Inc. - All Rights Reserved
Secure
○ Users enter their username/password in secure Google login page
○ Third-party a...
Google Inc. - All Rights Reserved
Already using OAuth 2.0?
Great to hear! Watch out for some common issues
Google Inc. - All Rights Reserved
Access Token Expiration
Anticipate the possibility that a granted token might no
longer ...
Google Inc. - All Rights Reserved
The refresh token expired if unused for six months.
25 refresh token limit per user per ...
Google Inc. - All Rights Reserved
When an access token has expired or revoked:
AuthenticationError.OAUTH_TOKEN_INVALID
Cau...
Google Inc. - All Rights Reserved
Revoking Access
Google Inc. - All Rights Reserved
Rate Limits
There is a rate limit for obtaining the access token
QPS may change over tim...
Google Inc. - All Rights Reserved
Multithreaded Environment
Client Application
Thread 1
Thread 2
Thread N
.
.
.
I have a r...
Google Inc. - All Rights Reserved
Multi-Server / Multi-Process Environment
Client Application
.
.
.
I have a refresh token...
Google Inc. - All Rights Reserved
Client ApplicationClient Application
Put Them Together
Client Application
Thread 1
Threa...
Google Inc. - All Rights Reserved
What’s Your Platform Like?
.Net
Google Inc. - All Rights Reserved
Sharing the access token
Sharing is caring
Google Inc. - All Rights Reserved
Share the token and the expiration time
Access token
Calculated expiration time
12
6
39
...
Google Inc. - All Rights Reserved
Multithreaded platforms can share data among threads
Must be thread-safe
Use the singlet...
Google Inc. - All Rights Reserved
Minimize Access Token Requests
Client Application
Thread 1
Thread 2
Thread N
.
.
.
I hav...
Google Inc. - All Rights Reserved
Minimize the number of initial access token requests is half
the problem
When access tok...
Google Inc. - All Rights Reserved
Use a shared storage
○ In-memory: Memcached, Infinispan, Ehcache, ...
○ Persistent: RDBM...
Google Inc. - All Rights Reserved
Using a Shared Storage
Client Application
.
.
.
Client Application
Shared
Storage
1. Che...
Google Inc. - All Rights Reserved
Worst case scenario: All processes simultaneously read
expired access token from the sha...
Google Inc. - All Rights Reserved
Proactive Refresh
Client Application
Shared
Storage
Check if unexpired access token is
a...
Google Inc. - All Rights Reserved
Centralize OAuth 2.0 access token management
○ Retrieval
○ Refresh
○ Storage
Service-ori...
Google Inc. - All Rights Reserved
Using a Token Management Server
Client Application Token Mgmt Server
1. I need the acces...
Google Inc. - All Rights Reserved
Refresh token and access token = Credentials
Store them securely!
Last Note - Security!
Google Inc. - All Rights Reserved
Resources
Download links
AdWords API OAuth 2.0 Guide
Optimizing OAuth 2.0 Requests for A...
Google Inc. - All Rights Reserved
Questions?
Google Inc. - All Rights Reserved
Upcoming SlideShare
Loading in...5
×

AdWords API & OAuth 2.0, Advanced

892

Published on

Published in: Technology, Business
1 Comment
2 Likes
Statistics
Notes
  • The 'Example - OAuth 2.0 Key Cache' link is invalid; Is there a valid link available somewhere? Fumbling around under various permutations of the name in code.google.com and Google search does not yield any relevant results.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
892
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
25
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

AdWords API & OAuth 2.0, Advanced

  1. 1. Google Inc - All Rights Reserved
  2. 2. AdWords API - Using OAuth 2.0 Advanced usage Ray Tsang, Google, Inc. Danial Klimkin, Google, Inc.
  3. 3. Agenda ● Hopefully you are already using OAuth 2.0! ● Issue with unoptimized OAuth 2.0 requests ● Solutions ● Resources
  4. 4. Google Inc. - All Rights Reserved Refresher OAuth 2.0????
  5. 5. Google Inc. - All Rights Reserved ClientLogin is going away You must migrate to OAuth 2.0 ASAP ClientLogin is Going Away!
  6. 6. Google Inc. - All Rights Reserved Secure ○ Users enter their username/password in secure Google login page ○ Third-party application won’t receive nor store the password ○ Reduced impact if OAuth 2.0 access is compromised More Control ○ Restrict access via “scopes” ○ User can revoke access at will Standards driven ○ RFC 6749 ○ Used by many large service providers, including Google Why OAuth 2.0?
  7. 7. Google Inc. - All Rights Reserved Already using OAuth 2.0? Great to hear! Watch out for some common issues
  8. 8. Google Inc. - All Rights Reserved Access Token Expiration Anticipate the possibility that a granted token might no longer work ○ The access token has expired (expires_in value) ○ The user has revoked access ○ The account has exceeded a certain number of active token for the same application
  9. 9. Google Inc. - All Rights Reserved The refresh token expired if unused for six months. 25 refresh token limit per user per application ○ When exceeded, oldest refresh token is quietly invalidated ○ no user-visible warning - your application need to handle this You should only need one refresh token per user Refresh Token Expiration
  10. 10. Google Inc. - All Rights Reserved When an access token has expired or revoked: AuthenticationError.OAUTH_TOKEN_INVALID Cause: access token expired Resolution: get a new access token with the refresh token AuthenticationError.INVALID_GRANT_ERROR Cause: access revoked Resolution: re-authorize via the authorization URL (the consent screen) Common Errors
  11. 11. Google Inc. - All Rights Reserved Revoking Access
  12. 12. Google Inc. - All Rights Reserved Rate Limits There is a rate limit for obtaining the access token QPS may change over time based on different conditions Beware in multi-threaded and/or multi-server environment Be ready for it in Production!
  13. 13. Google Inc. - All Rights Reserved Multithreaded Environment Client Application Thread 1 Thread 2 Thread N . . . I have a refresh token, I need an access token! I have a refresh token, I need an access token! I have a refresh token, I need an access token!
  14. 14. Google Inc. - All Rights Reserved Multi-Server / Multi-Process Environment Client Application . . . I have a refresh token, I need an access token! I have a refresh token, I need an access token! I have a refresh token, I need an access token! Client Application Client Application
  15. 15. Google Inc. - All Rights Reserved Client ApplicationClient Application Put Them Together Client Application Thread 1 Thread 2 Thread N . . .
  16. 16. Google Inc. - All Rights Reserved What’s Your Platform Like? .Net
  17. 17. Google Inc. - All Rights Reserved Sharing the access token Sharing is caring
  18. 18. Google Inc. - All Rights Reserved Share the token and the expiration time Access token Calculated expiration time 12 6 39 T1 expires_in Te
  19. 19. Google Inc. - All Rights Reserved Multithreaded platforms can share data among threads Must be thread-safe Use the singleton pattern Use a Singleton Credential object in Java can be shared
  20. 20. Google Inc. - All Rights Reserved Minimize Access Token Requests Client Application Thread 1 Thread 2 Thread N . . . I have a refresh token, I need an access token! I’ll re-use the Credential I’ll re-use the Credential
  21. 21. Google Inc. - All Rights Reserved Minimize the number of initial access token requests is half the problem When access token expires - minimize refresh requests! Handling Expiration Credential object in Java handles expiration
  22. 22. Google Inc. - All Rights Reserved Use a shared storage ○ In-memory: Memcached, Infinispan, Ehcache, ... ○ Persistent: RDBMS, MongoDB, … Store securely! Don’t forget to check for expirations Use Shared storage
  23. 23. Google Inc. - All Rights Reserved Using a Shared Storage Client Application . . . Client Application Shared Storage 1. Check if unexpired access token is already in the shared storage Client Application 2. If expired, use the refresh token to get an access token 3. Write the credential back to the shared storage 4. Check if unexpired access token is already in the shared storage
  24. 24. Google Inc. - All Rights Reserved Worst case scenario: All processes simultaneously read expired access token from the shared storage ● Avoid race conditions ● Eagerly refresh stored credentials before it expires ○ e.g., If access token expires in 1 hr, refresh in 45 minutes Proactive Refresh Make sure server clocks are in sync (use NTP)
  25. 25. Google Inc. - All Rights Reserved Proactive Refresh Client Application Shared Storage Check if unexpired access token is already in the shared storage Periodic Refresher 1. Use the refresh token to get a new access token 2. Write the credential back to the shared storage
  26. 26. Google Inc. - All Rights Reserved Centralize OAuth 2.0 access token management ○ Retrieval ○ Refresh ○ Storage Service-oriented approach OAuth 2.0 Token Management Server Example - OAuth 2.0 Key Cache
  27. 27. Google Inc. - All Rights Reserved Using a Token Management Server Client Application Token Mgmt Server 1. I need the access token 2. Here you go! O ops! Expired, let m e fetch another one.
  28. 28. Google Inc. - All Rights Reserved Refresh token and access token = Credentials Store them securely! Last Note - Security!
  29. 29. Google Inc. - All Rights Reserved Resources Download links AdWords API OAuth 2.0 Guide Optimizing OAuth 2.0 Requests for AdWords API Google OAuth 2.0 Documentation
  30. 30. Google Inc. - All Rights Reserved Questions?
  31. 31. Google Inc. - All Rights Reserved
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×