SlideShare a Scribd company logo

OAuth 2.0

M
marcwan
1 of 23
Download to read offline
OAuth 2.0 Life after ClientLogin Google Confidential and Proprietary
Agenda ● Why migrate from ClientLogin? ● What is OAuth 2.0? ● Using OAuth 2.0 ○ Google APIs Console ○ Web Server Flow ● A code example ● Further Info ● Q&A Google Confidential and Proprietary
Why migrate from ClientLogin? ● Exposes username/passwords for MCC and client accounts. ● AuthTokens duration 2 weeks ○ No way to revoke issued tokens ● Sunset by 2015 ○ Might be sooner ○ Deprecated since last year More info - https://developers.google.com/accounts/docs/AuthForInstalledApps Google Confidential and Proprietary
What is OAuth 2.0? Better than ClientLogin ● More secure ○ Does not expose password/username ○ Only exchange OAuth tokens ● More specific access control ○ Tokens can have restricted scope on data ○ Can easily revoke a token ○ Reduced impact if token compromised ● No CAPTCHA challenges. Google Confidential and Proprietary
What is OAuth 2.0? The Flow ● Setting up access ○ Mcc: Register Application ● Using the Authentication ○ Make token request ■ Ask for user's consent ○ Exchange code for access token ■ Save the refresh token ○ Call the API ● When a token expires ○ Refresh the access token User Interaction | Programmatic Google Confidential and Proprietary
What is OAuth 2.0? More info - https://developers.google.com/accounts/docs/OAuth2 Google Confidential and Proprietary
Using OAuth 2.0 The Steps 1. Create an project in Google APIs Console a. Generate the client_id and client_secret 2. Use client lib to access OAuth 2.0 "Web Server Flow" 3. Save the refreshToken 4. Use the accessToken to make API calls 5. When the accessToken expires, re-use the refreshToken to get more accessTokens Google Confidential and Proprietary
Google APIs Console Go to https://code.google.com/apis/console and create a new project Google APIs Console Google Confidential and Proprietary
Google APIs Console You might need to register a Redirect URI, depending on how you want to use the clientlibs Google APIs Console Google Confidential and Proprietary
Google APIs Console Then create your OAuth 2.0 client_id and client_secret, which you will need to make OAuth 2.0 calls. Google Confidential and Proprietary
Web Server Flow Basic coding steps 1. Send a request to the Google Authorization Server, with: a. scope - https://adwords.google.com/api/adwords b. the client_id 2. This opens a browser, with a Google webpage, that allows you to: a. login with your MCC or client account credentials b. authorize access to the given scope 3. This returns the accessToken and refreshToken to your app More info - https://developers.google.com/accounts/docs/OAuth2WebServer Google Confidential and Proprietary
Basic coding steps accessToken ● Access for ~ 1 hour ● Then expires Google Confidential and Proprietary
Basic coding steps accessToken refreshToken ● Access for ~ 1 hour ● Regenerates accessTokens ● No user interaction ● Then expires User Interaction | Programmatic Google Confidential and Proprietary
Basic coding steps accessToken refreshToken ● Access for ~ 1 hour ● Regenerates accessTokens ● No user interaction ● Then expires ● Be sure to store it User Interaction | Programmatic Google Confidential and Proprietary
Sample code - authorize() public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow ... // actually authorize ... } Google Confidential and Proprietary
Sample code - authorize() public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build(); // actually authorize ... } Google Confidential and Proprietary
Sample code - authorize() public Credential authorize() throws Exception { // set up file credential store to save/load tokens ... // set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build(); // actually authorize return new AuthorizationCodeInstalledApp( flow, new LocalServerReceiver()) .authorize("user"); } Google Confidential and Proprietary
Sample code - connect() // Construct AdWordsSession object AdWordsSession session = new AdWordsSession .Builder() .fromFile() .withOAuth2Credential(credential) .build(); // Construct AdWordsServices object AdWordsServices adWordsServices = new AdWordsServices(); Full sample code can be found here - http://goo.gl/s6nmR Google Confidential and Proprietary
Futher Info Installed App Flow and Web Server Flow ● Web Server Flow ○ Constent: Browser for consent ○ Response: Redirects user to callback endpoint ● Installed App Flow ○ Consent: URL provided - user pastes into browser ○ Response: Display code - user paste into app OR ○ Consent: URL Provided - in app browser ○ Response: Captures code - app returns to auth server User Interaction | Programmatic Google Confidential and Proprietary
Further Info OAuth 2.0 Best Practices ● Use the refreshToken only on expiry ● Store the refreshToken for re-use ○ To reduce user interaction ● clientCustomerId only for reports ○ Recommended for all Google Confidential and Proprietary
Further Info Token expiration and refresh ● Error: AuthenticationError.OAUTH_TOKEN_INVALID ○ On: accessToken expired ○ Resolution: use refreshToken ● Error: AuthenticationError.INVALID_GRANT_ERROR ○ On: accessToken revoked ○ Resolution: re-auth app with user consent User Interaction | Programmatic Google Confidential and Proprietary
Q&A
Resources Docs Links: https://developers.google.com/accounts/docs/AuthForInstalledApps https://developers.google.com/accounts/docs/OAuth2 https://developers.google.com/accounts/docs/OAuth2WebServer Request client_id & client_secret: https://code.google.com/apis/console Code: http://goo.gl/s6nmR Google Confidential and Proprietary

Recommended

AdWords API and OAuth 2.0
AdWords API and OAuth 2.0AdWords API and OAuth 2.0
AdWords API and OAuth 2.0marcwan
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
PayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 

Recommended

AdWords API and OAuth 2.0
AdWords API and OAuth 2.0AdWords API and OAuth 2.0
AdWords API and OAuth 2.0marcwan
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2FIDO Alliance
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
PayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 
UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2Aaron Parecki
 
Bid Estimation with the AdWords API (v2)
Bid Estimation with the AdWords API (v2)Bid Estimation with the AdWords API (v2)
Bid Estimation with the AdWords API (v2)marcwan
 
AdWords API & OAuth 2.0, Advanced
AdWords API & OAuth 2.0, Advanced AdWords API & OAuth 2.0, Advanced
AdWords API & OAuth 2.0, Advanced marcwan
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Elasticsearch
ElasticsearchElasticsearch
Elasticsearchlambertzhao
 
科技於失智照護的運用案例
科技於失智照護的運用案例科技於失智照護的運用案例
科技於失智照護的運用案例NTUST
 
雲端產品的用戶體驗檢測重要性與作法
雲端產品的用戶體驗檢測重要性與作法雲端產品的用戶體驗檢測重要性與作法
雲端產品的用戶體驗檢測重要性與作法NTUST
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Whoscall 的 Realtime Monitoring 經驗分享
Whoscall 的 Realtime Monitoring 經驗分享Whoscall 的 Realtime Monitoring 經驗分享
Whoscall 的 Realtime Monitoring 經驗分享William Yeh
 
Introduction to Apache Spark Developer Training
Introduction to Apache Spark Developer TrainingIntroduction to Apache Spark Developer Training
Introduction to Apache Spark Developer TrainingCloudera, Inc.
 
用戶體驗服務設計流程
用戶體驗服務設計流程用戶體驗服務設計流程
用戶體驗服務設計流程NTUST
 
阿里巴巴只做沒說的秘密
阿里巴巴只做沒說的秘密阿里巴巴只做沒說的秘密
阿里巴巴只做沒說的秘密Max Chang
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIswesley chun
 
OAuth 2.0 refresher Talk
OAuth 2.0 refresher TalkOAuth 2.0 refresher Talk
OAuth 2.0 refresher Talkmarcwan
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
Securing api with_o_auth2
Securing api with_o_auth2Securing api with_o_auth2
Securing api with_o_auth2sivachandra mandalapu
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-idParisa Moosavinezhad
 
The Glass Class - Tutorial 2 - Mirror API
The Glass Class - Tutorial 2 - Mirror APIThe Glass Class - Tutorial 2 - Mirror API
The Glass Class - Tutorial 2 - Mirror APIGun Lee
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersGlobus
 

More Related Content

Viewers also liked

UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2Aaron Parecki
 
Bid Estimation with the AdWords API (v2)
Bid Estimation with the AdWords API (v2)Bid Estimation with the AdWords API (v2)
Bid Estimation with the AdWords API (v2)marcwan
 
AdWords API & OAuth 2.0, Advanced
AdWords API & OAuth 2.0, Advanced AdWords API & OAuth 2.0, Advanced
AdWords API & OAuth 2.0, Advanced marcwan
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
科技於失智照護的運用案例
科技於失智照護的運用案例科技於失智照護的運用案例
科技於失智照護的運用案例NTUST
 
雲端產品的用戶體驗檢測重要性與作法
雲端產品的用戶體驗檢測重要性與作法雲端產品的用戶體驗檢測重要性與作法
雲端產品的用戶體驗檢測重要性與作法NTUST
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
Whoscall 的 Realtime Monitoring 經驗分享
Whoscall 的 Realtime Monitoring 經驗分享Whoscall 的 Realtime Monitoring 經驗分享
Whoscall 的 Realtime Monitoring 經驗分享William Yeh
 
Introduction to Apache Spark Developer Training
Introduction to Apache Spark Developer TrainingIntroduction to Apache Spark Developer Training
Introduction to Apache Spark Developer TrainingCloudera, Inc.
 
用戶體驗服務設計流程
用戶體驗服務設計流程用戶體驗服務設計流程
用戶體驗服務設計流程NTUST
 
阿里巴巴只做沒說的秘密
阿里巴巴只做沒說的秘密阿里巴巴只做沒說的秘密
阿里巴巴只做沒說的秘密Max Chang
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 

Viewers also liked (14)

UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2
 
Bid Estimation with the AdWords API (v2)
Bid Estimation with the AdWords API (v2)Bid Estimation with the AdWords API (v2)
Bid Estimation with the AdWords API (v2)
 
AdWords API & OAuth 2.0, Advanced
AdWords API & OAuth 2.0, Advanced AdWords API & OAuth 2.0, Advanced
AdWords API & OAuth 2.0, Advanced
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Elasticsearch
ElasticsearchElasticsearch
Elasticsearch
 
科技於失智照護的運用案例
科技於失智照護的運用案例科技於失智照護的運用案例
科技於失智照護的運用案例
 
雲端產品的用戶體驗檢測重要性與作法
雲端產品的用戶體驗檢測重要性與作法雲端產品的用戶體驗檢測重要性與作法
雲端產品的用戶體驗檢測重要性與作法
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Whoscall 的 Realtime Monitoring 經驗分享
Whoscall 的 Realtime Monitoring 經驗分享Whoscall 的 Realtime Monitoring 經驗分享
Whoscall 的 Realtime Monitoring 經驗分享
 
Introduction to Apache Spark Developer Training
Introduction to Apache Spark Developer TrainingIntroduction to Apache Spark Developer Training
Introduction to Apache Spark Developer Training
 
用戶體驗服務設計流程
用戶體驗服務設計流程用戶體驗服務設計流程
用戶體驗服務設計流程
 
阿里巴巴只做沒說的秘密
阿里巴巴只做沒說的秘密阿里巴巴只做沒說的秘密
阿里巴巴只做沒說的秘密
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 

Similar to OAuth 2.0

Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIswesley chun
 
OAuth 2.0 refresher Talk
OAuth 2.0 refresher TalkOAuth 2.0 refresher Talk
OAuth 2.0 refresher Talkmarcwan
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
The Glass Class - Tutorial 2 - Mirror API
The Glass Class - Tutorial 2 - Mirror APIThe Glass Class - Tutorial 2 - Mirror API
The Glass Class - Tutorial 2 - Mirror APIGun Lee
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersGlobus
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
ORCID OAuth Dance with google playground
ORCID OAuth Dance with google playgroundORCID OAuth Dance with google playground
ORCID OAuth Dance with google playgroundORCID, Inc
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Google auth dispelling the magic
Google auth dispelling the magicGoogle auth dispelling the magic
Google auth dispelling the magicZaar Hai
 
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseIntegrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseBahman Kalali
 

Similar to OAuth 2.0 (20)

Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIsExploring Google APIs 102: Cloud vs. non-GCP Google APIs
Exploring Google APIs 102: Cloud vs. non-GCP Google APIs
 
OAuth 2.0 refresher Talk
OAuth 2.0 refresher TalkOAuth 2.0 refresher Talk
OAuth 2.0 refresher Talk
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Securing api with_o_auth2
Securing api with_o_auth2Securing api with_o_auth2
Securing api with_o_auth2
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
The Glass Class - Tutorial 2 - Mirror API
The Glass Class - Tutorial 2 - Mirror APIThe Glass Class - Tutorial 2 - Mirror API
The Glass Class - Tutorial 2 - Mirror API
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
Api security
Api security Api security
Api security
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
ORCID OAuth Dance with google playground
ORCID OAuth Dance with google playgroundORCID OAuth Dance with google playground
ORCID OAuth Dance with google playground
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Google auth dispelling the magic
Google auth dispelling the magicGoogle auth dispelling the magic
Google auth dispelling the magic
 
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseIntegrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use case
 

More from marcwan

Mcc scripts deck (日本語)
Mcc scripts deck (日本語)Mcc scripts deck (日本語)
Mcc scripts deck (日本語)marcwan
 
Getting started with Google Analytics and the AdWords API
Getting started with Google Analytics and the AdWords APIGetting started with Google Analytics and the AdWords API
Getting started with Google Analytics and the AdWords APImarcwan
 
Opportunity Analysis with Kratu (v2)
Opportunity Analysis with Kratu (v2)Opportunity Analysis with Kratu (v2)
Opportunity Analysis with Kratu (v2)marcwan
 
Opportunity Analysis with Kratu
Opportunity Analysis with KratuOpportunity Analysis with Kratu
Opportunity Analysis with Kratumarcwan
 
07. feeds update
07. feeds update07. feeds update
07. feeds updatemarcwan
 
AdWords Scripts and MCC Scripting
AdWords Scripts and MCC ScriptingAdWords Scripts and MCC Scripting
AdWords Scripts and MCC Scriptingmarcwan
 
AwReporting Update
AwReporting UpdateAwReporting Update
AwReporting Updatemarcwan
 
Getting Started with AdWords API and Google Analytics
Getting Started with AdWords API and Google AnalyticsGetting Started with AdWords API and Google Analytics
Getting Started with AdWords API and Google Analyticsmarcwan
 
Shopping Campaigns and AdWords API
Shopping Campaigns and AdWords APIShopping Campaigns and AdWords API
Shopping Campaigns and AdWords APImarcwan
 
API Updates for v201402
API Updates for v201402API Updates for v201402
API Updates for v201402marcwan
 
AdWords API Targeting Options
AdWords API Targeting OptionsAdWords API Targeting Options
AdWords API Targeting Optionsmarcwan
 
Reporting Tips and Tricks (Spanish)
Reporting Tips and Tricks (Spanish)Reporting Tips and Tricks (Spanish)
Reporting Tips and Tricks (Spanish)marcwan
 
Rate limits and performance (Spanish)
Rate limits and performance (Spanish)Rate limits and performance (Spanish)
Rate limits and performance (Spanish)marcwan
 
OAuth 2.0 (Spanish)
OAuth 2.0 (Spanish)OAuth 2.0 (Spanish)
OAuth 2.0 (Spanish)marcwan
 
End to-end how to build a platform (Spanish)
End to-end how to build a platform (Spanish)End to-end how to build a platform (Spanish)
End to-end how to build a platform (Spanish)marcwan
 
AwReporting tool introduction (Spanish)
AwReporting tool introduction (Spanish)AwReporting tool introduction (Spanish)
AwReporting tool introduction (Spanish)marcwan
 
Api update rundown (Spanish)
Api update rundown (Spanish)Api update rundown (Spanish)
Api update rundown (Spanish)marcwan
 
AdWords Scripts (Spanish)
AdWords Scripts (Spanish)AdWords Scripts (Spanish)
AdWords Scripts (Spanish)marcwan
 
Mobile landing pages (Spanish)
Mobile landing pages (Spanish)Mobile landing pages (Spanish)
Mobile landing pages (Spanish)marcwan
 
Rate limits and performance
Rate limits and performanceRate limits and performance
Rate limits and performancemarcwan
 

More from marcwan (20)

Mcc scripts deck (日本語)
Mcc scripts deck (日本語)Mcc scripts deck (日本語)
Mcc scripts deck (日本語)
 
Getting started with Google Analytics and the AdWords API
Getting started with Google Analytics and the AdWords APIGetting started with Google Analytics and the AdWords API
Getting started with Google Analytics and the AdWords API
 
Opportunity Analysis with Kratu (v2)
Opportunity Analysis with Kratu (v2)Opportunity Analysis with Kratu (v2)
Opportunity Analysis with Kratu (v2)
 
Opportunity Analysis with Kratu
Opportunity Analysis with KratuOpportunity Analysis with Kratu
Opportunity Analysis with Kratu
 
07. feeds update
07. feeds update07. feeds update
07. feeds update
 
AdWords Scripts and MCC Scripting
AdWords Scripts and MCC ScriptingAdWords Scripts and MCC Scripting
AdWords Scripts and MCC Scripting
 
AwReporting Update
AwReporting UpdateAwReporting Update
AwReporting Update
 
Getting Started with AdWords API and Google Analytics
Getting Started with AdWords API and Google AnalyticsGetting Started with AdWords API and Google Analytics
Getting Started with AdWords API and Google Analytics
 
Shopping Campaigns and AdWords API
Shopping Campaigns and AdWords APIShopping Campaigns and AdWords API
Shopping Campaigns and AdWords API
 
API Updates for v201402
API Updates for v201402API Updates for v201402
API Updates for v201402
 
AdWords API Targeting Options
AdWords API Targeting OptionsAdWords API Targeting Options
AdWords API Targeting Options
 
Reporting Tips and Tricks (Spanish)
Reporting Tips and Tricks (Spanish)Reporting Tips and Tricks (Spanish)
Reporting Tips and Tricks (Spanish)
 
Rate limits and performance (Spanish)
Rate limits and performance (Spanish)Rate limits and performance (Spanish)
Rate limits and performance (Spanish)
 
OAuth 2.0 (Spanish)
OAuth 2.0 (Spanish)OAuth 2.0 (Spanish)
OAuth 2.0 (Spanish)
 
End to-end how to build a platform (Spanish)
End to-end how to build a platform (Spanish)End to-end how to build a platform (Spanish)
End to-end how to build a platform (Spanish)
 
AwReporting tool introduction (Spanish)
AwReporting tool introduction (Spanish)AwReporting tool introduction (Spanish)
AwReporting tool introduction (Spanish)
 
Api update rundown (Spanish)
Api update rundown (Spanish)Api update rundown (Spanish)
Api update rundown (Spanish)
 
AdWords Scripts (Spanish)
AdWords Scripts (Spanish)AdWords Scripts (Spanish)
AdWords Scripts (Spanish)
 
Mobile landing pages (Spanish)
Mobile landing pages (Spanish)Mobile landing pages (Spanish)
Mobile landing pages (Spanish)
 
Rate limits and performance
Rate limits and performanceRate limits and performance
Rate limits and performance
 

OAuth 2.0

  • 1. OAuth 2.0 Life after ClientLogin Google Confidential and Proprietary
  • 2. Agenda ● Why migrate from ClientLogin? ● What is OAuth 2.0? ● Using OAuth 2.0 ○ Google APIs Console ○ Web Server Flow ● A code example ● Further Info ● Q&A Google Confidential and Proprietary
  • 3. Why migrate from ClientLogin? ● Exposes username/passwords for MCC and client accounts. ● AuthTokens duration 2 weeks ○ No way to revoke issued tokens ● Sunset by 2015 ○ Might be sooner ○ Deprecated since last year More info - https://developers.google.com/accounts/docs/AuthForInstalledApps Google Confidential and Proprietary
  • 4. What is OAuth 2.0? Better than ClientLogin ● More secure ○ Does not expose password/username ○ Only exchange OAuth tokens ● More specific access control ○ Tokens can have restricted scope on data ○ Can easily revoke a token ○ Reduced impact if token compromised ● No CAPTCHA challenges. Google Confidential and Proprietary
  • 5. What is OAuth 2.0? The Flow ● Setting up access ○ Mcc: Register Application ● Using the Authentication ○ Make token request ■ Ask for user's consent ○ Exchange code for access token ■ Save the refresh token ○ Call the API ● When a token expires ○ Refresh the access token User Interaction | Programmatic Google Confidential and Proprietary
  • 6. What is OAuth 2.0? More info - https://developers.google.com/accounts/docs/OAuth2 Google Confidential and Proprietary
  • 7. Using OAuth 2.0 The Steps 1. Create an project in Google APIs Console a. Generate the client_id and client_secret 2. Use client lib to access OAuth 2.0 "Web Server Flow" 3. Save the refreshToken 4. Use the accessToken to make API calls 5. When the accessToken expires, re-use the refreshToken to get more accessTokens Google Confidential and Proprietary
  • 8. Google APIs Console Go to https://code.google.com/apis/console and create a new project Google APIs Console Google Confidential and Proprietary
  • 9. Google APIs Console You might need to register a Redirect URI, depending on how you want to use the clientlibs Google APIs Console Google Confidential and Proprietary
  • 10. Google APIs Console Then create your OAuth 2.0 client_id and client_secret, which you will need to make OAuth 2.0 calls. Google Confidential and Proprietary
  • 11. Web Server Flow Basic coding steps 1. Send a request to the Google Authorization Server, with: a. scope - https://adwords.google.com/api/adwords b. the client_id 2. This opens a browser, with a Google webpage, that allows you to: a. login with your MCC or client account credentials b. authorize access to the given scope 3. This returns the accessToken and refreshToken to your app More info - https://developers.google.com/accounts/docs/OAuth2WebServer Google Confidential and Proprietary
  • 12. Basic coding steps accessToken ● Access for ~ 1 hour ● Then expires Google Confidential and Proprietary
  • 13. Basic coding steps accessToken refreshToken ● Access for ~ 1 hour ● Regenerates accessTokens ● No user interaction ● Then expires User Interaction | Programmatic Google Confidential and Proprietary
  • 14. Basic coding steps accessToken refreshToken ● Access for ~ 1 hour ● Regenerates accessTokens ● No user interaction ● Then expires ● Be sure to store it User Interaction | Programmatic Google Confidential and Proprietary
  • 15. Sample code - authorize() public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow ... // actually authorize ... } Google Confidential and Proprietary
  • 16. Sample code - authorize() public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build(); // actually authorize ... } Google Confidential and Proprietary
  • 17. Sample code - authorize() public Credential authorize() throws Exception { // set up file credential store to save/load tokens ... // set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build(); // actually authorize return new AuthorizationCodeInstalledApp( flow, new LocalServerReceiver()) .authorize("user"); } Google Confidential and Proprietary
  • 18. Sample code - connect() // Construct AdWordsSession object AdWordsSession session = new AdWordsSession .Builder() .fromFile() .withOAuth2Credential(credential) .build(); // Construct AdWordsServices object AdWordsServices adWordsServices = new AdWordsServices(); Full sample code can be found here - http://goo.gl/s6nmR Google Confidential and Proprietary
  • 19. Futher Info Installed App Flow and Web Server Flow ● Web Server Flow ○ Constent: Browser for consent ○ Response: Redirects user to callback endpoint ● Installed App Flow ○ Consent: URL provided - user pastes into browser ○ Response: Display code - user paste into app OR ○ Consent: URL Provided - in app browser ○ Response: Captures code - app returns to auth server User Interaction | Programmatic Google Confidential and Proprietary
  • 20. Further Info OAuth 2.0 Best Practices ● Use the refreshToken only on expiry ● Store the refreshToken for re-use ○ To reduce user interaction ● clientCustomerId only for reports ○ Recommended for all Google Confidential and Proprietary
  • 21. Further Info Token expiration and refresh ● Error: AuthenticationError.OAUTH_TOKEN_INVALID ○ On: accessToken expired ○ Resolution: use refreshToken ● Error: AuthenticationError.INVALID_GRANT_ERROR ○ On: accessToken revoked ○ Resolution: re-auth app with user consent User Interaction | Programmatic Google Confidential and Proprietary
  • 22. Q&A