2. Agenda
● Why migrate from ClientLogin?
● What is OAuth 2.0?
● Using OAuth 2.0
○ Google APIs Console
○ Web Server Flow
● A code example
● Further Info
● Q&A
Google Confidential and Proprietary
3. Why migrate from ClientLogin?
● Exposes username/passwords for MCC and client accounts.
● AuthTokens duration 2 weeks
○ No way to revoke issued tokens
● Sunset by 2015
○ Might be sooner
○ Deprecated since last year
More info -
https://developers.google.com/accounts/docs/AuthForInstalledApps
Google Confidential and Proprietary
4. What is OAuth 2.0?
Better than ClientLogin
● More secure
○ Does not expose password/username
○ Only exchange OAuth tokens
● More specific access control
○ Tokens can have restricted scope on data
○ Can easily revoke a token
○ Reduced impact if token compromised
● No CAPTCHA challenges.
Google Confidential and Proprietary
5. What is OAuth 2.0?
The Flow
● Setting up access
○ Mcc: Register Application
● Using the Authentication
○ Make token request
■ Ask for user's consent
○ Exchange code for access token
■ Save the refresh token
○ Call the API
● When a token expires
○ Refresh the access token
User Interaction | Programmatic
Google Confidential and Proprietary
6. What is OAuth 2.0?
More info -
https://developers.google.com/accounts/docs/OAuth2
Google Confidential and Proprietary
7. Using OAuth 2.0
The Steps
1. Create an project in Google APIs Console
a. Generate the client_id and client_secret
2. Use client lib to access OAuth 2.0 "Web Server Flow"
3. Save the refreshToken
4. Use the accessToken to make API calls
5. When the accessToken expires, re-use the refreshToken to
get more accessTokens
Google Confidential and Proprietary
8. Google APIs Console
Go to https://code.google.com/apis/console and create a new
project
Google APIs Console
Google Confidential and Proprietary
9. Google APIs Console
You might need to register a Redirect URI, depending on how you
want to use the clientlibs
Google APIs Console
Google Confidential and Proprietary
10. Google APIs Console
Then create your OAuth 2.0 client_id and client_secret, which
you will need to make OAuth 2.0 calls.
Google Confidential and Proprietary
11. Web Server Flow
Basic coding steps
1. Send a request to the Google Authorization Server, with:
a. scope - https://adwords.google.com/api/adwords
b. the client_id
2. This opens a browser, with a Google webpage, that allows you to:
a. login with your MCC or client account credentials
b. authorize access to the given scope
3. This returns the accessToken and refreshToken to your app
More info -
https://developers.google.com/accounts/docs/OAuth2WebServer
Google Confidential and Proprietary
12. Basic coding steps
accessToken
● Access for ~ 1 hour
● Then expires
Google Confidential and Proprietary
13. Basic coding steps
accessToken refreshToken
● Access for ~ 1 hour ● Regenerates accessTokens
● No user interaction
● Then expires
User Interaction | Programmatic
Google Confidential and Proprietary
14. Basic coding steps
accessToken refreshToken
● Access for ~ 1 hour ● Regenerates accessTokens
● No user interaction
● Then expires
● Be sure to store it
User Interaction | Programmatic
Google Confidential and Proprietary
15. Sample code - authorize()
public Credential authorize() throws Exception {
// set up file credential store to save/load tokens
FileCredentialStore credentialStore =
new FileCredentialStore(
new File("~/Desktop/oauth.json"),JSON_FACTORY);
// set up authorization code flow
...
// actually authorize
...
}
Google Confidential and Proprietary
16. Sample code - authorize()
public Credential authorize() throws Exception {
// set up file credential store to save/load tokens
FileCredentialStore credentialStore =
new FileCredentialStore(
new File("~/Desktop/oauth.json"),JSON_FACTORY);
// set up authorization code flow
GoogleAuthorizationCodeFlow flow = new
GoogleAuthorizationCodeFlow
.Builder(HTTP_TRANSPORT, JSON_FACTORY,
CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE)
.setCredentialStore(credentialStore)
.build();
// actually authorize
...
}
Google Confidential and Proprietary
17. Sample code - authorize()
public Credential authorize() throws Exception {
// set up file credential store to save/load tokens
...
// set up authorization code flow
GoogleAuthorizationCodeFlow flow = new
GoogleAuthorizationCodeFlow
.Builder(HTTP_TRANSPORT, JSON_FACTORY,
CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE)
.setCredentialStore(credentialStore)
.build();
// actually authorize
return new AuthorizationCodeInstalledApp(
flow, new LocalServerReceiver())
.authorize("user");
}
Google Confidential and Proprietary
18. Sample code - connect()
// Construct AdWordsSession object
AdWordsSession session =
new AdWordsSession
.Builder()
.fromFile()
.withOAuth2Credential(credential)
.build();
// Construct AdWordsServices object
AdWordsServices adWordsServices = new AdWordsServices();
Full sample code can be found here - http://goo.gl/s6nmR
Google Confidential and Proprietary
19. Futher Info
Installed App Flow and Web Server Flow
● Web Server Flow
○ Constent: Browser for consent
○ Response: Redirects user to callback endpoint
● Installed App Flow
○ Consent: URL provided - user pastes into browser
○ Response: Display code - user paste into app
OR
○ Consent: URL Provided - in app browser
○ Response: Captures code - app returns to auth server
User Interaction | Programmatic
Google Confidential and Proprietary
20. Further Info
OAuth 2.0 Best Practices
● Use the refreshToken only on expiry
● Store the refreshToken for re-use
○ To reduce user interaction
● clientCustomerId only for reports
○ Recommended for all
Google Confidential and Proprietary
21. Further Info
Token expiration and refresh
● Error: AuthenticationError.OAUTH_TOKEN_INVALID
○ On: accessToken expired
○ Resolution: use refreshToken
● Error: AuthenticationError.INVALID_GRANT_ERROR
○ On: accessToken revoked
○ Resolution: re-auth app with user consent
User Interaction | Programmatic
Google Confidential and Proprietary