AdWords API & OAuth 2.0Life after ClientLogin                         Google Confidential and Proprietary
Ch-Ch-Ch-Changes     Changes are coming forauthentication of your applications.                             Google Confide...
How it works today:1. Your app talks to authentication servers (blah blah blah)   a. Your app gets an access token (AuthTo...
How it will work in the new world:1. Your app talks to authentication servers (wah wah wah)   a. Your app gets an access t...
DONT PANIC!● This shouldnt be a big deal for you.● Will improve the security of your applications and data.               ...
Whats wrong with ClientLogin?● Exposes username/passwords for MCC and client  accounts.● AuthTokens duration 2 weeks  ○ No...
Why OAuth 2.0?● OAuth 2.0 More secure   ○ Does not expose password/username   ○ Only exchange OAuth tokens● More specific ...
Using OAuth 2.0Your Key Steps1. Registering the OAuth application2. Authenticating to get access token (AuthToken) and ref...
Using OAuth 2.0Step 1: Registering                Go to: https://code.google.com/apis/console             and create a new...
Google APIs Console    Google Confidential and Proprietary
Google APIs Console    Google Confidential and Proprietary
Google APIs Console    Google Confidential and Proprietary
Google APIs Console    Google Confidential and Proprietary
Google APIs Console    Google Confidential and Proprietary
Using OAuth 2.0Google Confidential and Proprietary
Using OAuth 2.0Step 2: Coding for OAuth 2.0● Are you using the client libraries?   ● Most are already up to date      ○ Ru...
Using OAuth 2.0Step 2: Coding by Hand1. Send a request to the Google Authorization Server, with:    a.   what you want acc...
Step 2: How to use the tokens returned       accessToken● Access for ~ 1 hour● Then expires                               ...
Step 2: How to use the tokens returned       accessToken                 refreshToken● Access for ~ 1 hour       ● Regener...
Step 2: How to use the tokens returned       accessToken                  refreshToken● Access for ~ 1 hour       ● Regene...
Step 2 (by hand): Lets look at some code  (This code is available on the web, so dont worry if you                   cant ...
Sample code - authorize()public Credential authorize() throws Exception {  // set up file credential store to save/load to...
Sample code - authorize()public Credential authorize() throws Exception {  // set up file credential store to save/load to...
Sample code - authorize()public Credential authorize() throws Exception {  // set up file credential store to save/load to...
Sample code - connect()// Construct AdWordsSession objectAdWordsSession session =  new AdWordsSession   .Builder()   .from...
Futher InfoAuthentication Flows: Youve got choices● Web Server Flow   ○   Consent: Browser for consent   ○   Response: Red...
Further InfoOAuth 2.0 Best Practices● Use the refreshToken only on accessToken expiry● Store the refreshToken for re-use  ...
Coding by Hand: Handling Expired Tokens● What? I need to handle token expirations?● Theoretically, you should be able to r...
Further InfoCoding by Hand: Error Handling● Error: AuthenticationError.OAUTH_TOKEN_INVALID   ○   On: accessToken expired  ...
Summary● Change is coming● Shouldnt be a big deal   ○ Will actually improve your app security● Client library users should...
Q&A
ResourcesDocs Links:https://developers.google.com/accounts/docs/OAuth2Register app, get client_id & client_secret:https://...
Upcoming SlideShare
Loading in …5
×

AdWords API and OAuth 2.0

4,526 views

Published on

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • That API endpoint URL in Slide 17 appears to be wrong? When I use the AdWords API Library to get an authentication URL, it's at www.google.com/oauth2 - not specifically an AdWords API URL? And the flow is somewhat different for an 'Installed Application', which other Google documents describe as the recommended flow. And you don't seem to need a Client Secret for an 'Installed Application'. Given how much Slide 17 seems to diverge from what I can find out... how valid is the rest?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,526
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
34
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

AdWords API and OAuth 2.0

  1. 1. AdWords API & OAuth 2.0Life after ClientLogin Google Confidential and Proprietary
  2. 2. Ch-Ch-Ch-Changes Changes are coming forauthentication of your applications. Google Confidential and Proprietary
  3. 3. How it works today:1. Your app talks to authentication servers (blah blah blah) a. Your app gets an access token (AuthToken)2. Your app talks to the AdWords API servers a. Passes in Developer Key and access token b. Your app has to periodically re-authenticate.Today: blah blah blah is called ClientLogin Google Confidential and Proprietary
  4. 4. How it will work in the new world:1. Your app talks to authentication servers (wah wah wah) a. Your app gets an access token.2. Your app talks to the AdWords API servers a. Passes in Developer Key and access token b. Your app has to periodically re-authenticate.New: wah wah wah is done with OAuth 2.0 Google Confidential and Proprietary
  5. 5. DONT PANIC!● This shouldnt be a big deal for you.● Will improve the security of your applications and data. Google Confidential and Proprietary
  6. 6. Whats wrong with ClientLogin?● Exposes username/passwords for MCC and client accounts.● AuthTokens duration 2 weeks ○ No way to revoke issued tokens● Sunset by 2015 ○ Might be sooner ○ Deprecated since last year Google Confidential and Proprietary
  7. 7. Why OAuth 2.0?● OAuth 2.0 More secure ○ Does not expose password/username ○ Only exchange OAuth tokens● More specific access control ○ Tokens can have restricted scope on data ○ Can easily revoke a token ○ Reduced impact if token compromised● No CAPTCHA challenges.● Have learned a lot from the mess of OAuth 1.0 Google Confidential and Proprietary
  8. 8. Using OAuth 2.0Your Key Steps1. Registering the OAuth application2. Authenticating to get access token (AuthToken) and refresh token.3. Call the AdWords API with the access token.4. Handle token expiration. Google Confidential and Proprietary
  9. 9. Using OAuth 2.0Step 1: Registering Go to: https://code.google.com/apis/console and create a new project Google Confidential and Proprietary
  10. 10. Google APIs Console Google Confidential and Proprietary
  11. 11. Google APIs Console Google Confidential and Proprietary
  12. 12. Google APIs Console Google Confidential and Proprietary
  13. 13. Google APIs Console Google Confidential and Proprietary
  14. 14. Google APIs Console Google Confidential and Proprietary
  15. 15. Using OAuth 2.0Google Confidential and Proprietary
  16. 16. Using OAuth 2.0Step 2: Coding for OAuth 2.0● Are you using the client libraries? ● Most are already up to date ○ Ruby ○ Java (new) ○ .NET ○ Python ○ Perl ● Rest will be coming soon Google Confidential and Proprietary
  17. 17. Using OAuth 2.0Step 2: Coding by Hand1. Send a request to the Google Authorization Server, with: a. what you want access to - https://adwords.google. com/api/adwords b. and the client_id and the client_secret2. Next step requires actual user interact with a Google webpage, that allows you to: a. login with your MCC or client account credentials b. authorize access to the given scope3. This returns the accessToken and refreshToken to your app Google Confidential and Proprietary
  18. 18. Step 2: How to use the tokens returned accessToken● Access for ~ 1 hour● Then expires Google Confidential and Proprietary
  19. 19. Step 2: How to use the tokens returned accessToken refreshToken● Access for ~ 1 hour ● Regenerates accessTokens ● No user interaction required● Then expires Google Confidential and Proprietary
  20. 20. Step 2: How to use the tokens returned accessToken refreshToken● Access for ~ 1 hour ● Regenerates accessTokens ● No user interaction required● Then expires ● Be sure to store it Google Confidential and Proprietary
  21. 21. Step 2 (by hand): Lets look at some code (This code is available on the web, so dont worry if you cant follow it all now.) http://goo.gl/s6nmR Google Confidential and Proprietary
  22. 22. Sample code - authorize()public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow ... // actually authorize ...} Google Confidential and Proprietary
  23. 23. Sample code - authorize()public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build(); // actually authorize ...} Google Confidential and Proprietary
  24. 24. Sample code - authorize()public Credential authorize() throws Exception { // set up file credential store to save/load tokens ... // set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build(); // actually authorize return new AuthorizationCodeInstalledApp( flow, new LocalServerReceiver()) .authorize("user");} Google Confidential and Proprietary
  25. 25. Sample code - connect()// Construct AdWordsSession objectAdWordsSession session = new AdWordsSession .Builder() .fromFile() .withOAuth2Credential(credential) .build();// Construct AdWordsServices objectAdWordsServices adWordsServices = new AdWordsServices(); Google Confidential and Proprietary
  26. 26. Futher InfoAuthentication Flows: Youve got choices● Web Server Flow ○ Consent: Browser for consent ○ Response: Redirects user to callback endpoint● Installed App Flow ○ Consent: URL provided - user pastes into browser ○ Response: Display code - user paste into app OR ○ Consent: URL Provided - in app browser ○ Response: Captures code - app returns to auth server User Interaction | Programmatic Google Confidential and Proprietary
  27. 27. Further InfoOAuth 2.0 Best Practices● Use the refreshToken only on accessToken expiry● Store the refreshToken for re-use ○ To reduce user interaction● Officially clientCustomerId needed only for reports ○ Recommended for all Google Confidential and Proprietary
  28. 28. Coding by Hand: Handling Expired Tokens● What? I need to handle token expirations?● Theoretically, you should be able to restart requests today! ○ ClientLogin auth tokens can time out. ○ Server calls can fail in a way that suggest you should retry. Google Confidential and Proprietary
  29. 29. Further InfoCoding by Hand: Error Handling● Error: AuthenticationError.OAUTH_TOKEN_INVALID ○ On: accessToken expired ○ Resolution: use refreshToken● Error: AuthenticationError.INVALID_GRANT_ERROR ○ On: accessToken revoked ○ Resolution: re-auth app with user consent Google Confidential and Proprietary
  30. 30. Summary● Change is coming● Shouldnt be a big deal ○ Will actually improve your app security● Client library users should be ready to go now or soon. Google Confidential and Proprietary
  31. 31. Q&A
  32. 32. ResourcesDocs Links:https://developers.google.com/accounts/docs/OAuth2Register app, get client_id & client_secret:https://code.google.com/apis/consoleJava Sample Code:http://goo.gl/s6nmR Google Confidential and Proprietary

×