AdWords API & OAuth 2.0, Advanced

1,785 views

Published on

Published in: Technology, Business
1 Comment
2 Likes
Statistics
Notes
  • The 'Example - OAuth 2.0 Key Cache' link is invalid; Is there a valid link available somewhere? Fumbling around under various permutations of the name in code.google.com and Google search does not yield any relevant results.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
1,785
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
40
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

AdWords API & OAuth 2.0, Advanced

  1. 1. Google Inc - All Rights Reserved
  2. 2. AdWords API - Using OAuth 2.0 Advanced usage Ray Tsang, Google, Inc. Danial Klimkin, Google, Inc.
  3. 3. Agenda ● Hopefully you are already using OAuth 2.0! ● Issue with unoptimized OAuth 2.0 requests ● Solutions ● Resources
  4. 4. Google Inc. - All Rights Reserved Refresher OAuth 2.0????
  5. 5. Google Inc. - All Rights Reserved ClientLogin is going away You must migrate to OAuth 2.0 ASAP ClientLogin is Going Away!
  6. 6. Google Inc. - All Rights Reserved Secure ○ Users enter their username/password in secure Google login page ○ Third-party application won’t receive nor store the password ○ Reduced impact if OAuth 2.0 access is compromised More Control ○ Restrict access via “scopes” ○ User can revoke access at will Standards driven ○ RFC 6749 ○ Used by many large service providers, including Google Why OAuth 2.0?
  7. 7. Google Inc. - All Rights Reserved Already using OAuth 2.0? Great to hear! Watch out for some common issues
  8. 8. Google Inc. - All Rights Reserved Access Token Expiration Anticipate the possibility that a granted token might no longer work ○ The access token has expired (expires_in value) ○ The user has revoked access ○ The account has exceeded a certain number of active token for the same application
  9. 9. Google Inc. - All Rights Reserved The refresh token expired if unused for six months. 25 refresh token limit per user per application ○ When exceeded, oldest refresh token is quietly invalidated ○ no user-visible warning - your application need to handle this You should only need one refresh token per user Refresh Token Expiration
  10. 10. Google Inc. - All Rights Reserved When an access token has expired or revoked: AuthenticationError.OAUTH_TOKEN_INVALID Cause: access token expired Resolution: get a new access token with the refresh token AuthenticationError.INVALID_GRANT_ERROR Cause: access revoked Resolution: re-authorize via the authorization URL (the consent screen) Common Errors
  11. 11. Google Inc. - All Rights Reserved Revoking Access
  12. 12. Google Inc. - All Rights Reserved Rate Limits There is a rate limit for obtaining the access token QPS may change over time based on different conditions Beware in multi-threaded and/or multi-server environment Be ready for it in Production!
  13. 13. Google Inc. - All Rights Reserved Multithreaded Environment Client Application Thread 1 Thread 2 Thread N . . . I have a refresh token, I need an access token! I have a refresh token, I need an access token! I have a refresh token, I need an access token!
  14. 14. Google Inc. - All Rights Reserved Multi-Server / Multi-Process Environment Client Application . . . I have a refresh token, I need an access token! I have a refresh token, I need an access token! I have a refresh token, I need an access token! Client Application Client Application
  15. 15. Google Inc. - All Rights Reserved Client ApplicationClient Application Put Them Together Client Application Thread 1 Thread 2 Thread N . . .
  16. 16. Google Inc. - All Rights Reserved What’s Your Platform Like? .Net
  17. 17. Google Inc. - All Rights Reserved Sharing the access token Sharing is caring
  18. 18. Google Inc. - All Rights Reserved Share the token and the expiration time Access token Calculated expiration time 12 6 39 T1 expires_in Te
  19. 19. Google Inc. - All Rights Reserved Multithreaded platforms can share data among threads Must be thread-safe Use the singleton pattern Use a Singleton Credential object in Java can be shared
  20. 20. Google Inc. - All Rights Reserved Minimize Access Token Requests Client Application Thread 1 Thread 2 Thread N . . . I have a refresh token, I need an access token! I’ll re-use the Credential I’ll re-use the Credential
  21. 21. Google Inc. - All Rights Reserved Minimize the number of initial access token requests is half the problem When access token expires - minimize refresh requests! Handling Expiration Credential object in Java handles expiration
  22. 22. Google Inc. - All Rights Reserved Use a shared storage ○ In-memory: Memcached, Infinispan, Ehcache, ... ○ Persistent: RDBMS, MongoDB, … Store securely! Don’t forget to check for expirations Use Shared storage
  23. 23. Google Inc. - All Rights Reserved Using a Shared Storage Client Application . . . Client Application Shared Storage 1. Check if unexpired access token is already in the shared storage Client Application 2. If expired, use the refresh token to get an access token 3. Write the credential back to the shared storage 4. Check if unexpired access token is already in the shared storage
  24. 24. Google Inc. - All Rights Reserved Worst case scenario: All processes simultaneously read expired access token from the shared storage ● Avoid race conditions ● Eagerly refresh stored credentials before it expires ○ e.g., If access token expires in 1 hr, refresh in 45 minutes Proactive Refresh Make sure server clocks are in sync (use NTP)
  25. 25. Google Inc. - All Rights Reserved Proactive Refresh Client Application Shared Storage Check if unexpired access token is already in the shared storage Periodic Refresher 1. Use the refresh token to get a new access token 2. Write the credential back to the shared storage
  26. 26. Google Inc. - All Rights Reserved Centralize OAuth 2.0 access token management ○ Retrieval ○ Refresh ○ Storage Service-oriented approach OAuth 2.0 Token Management Server Example - OAuth 2.0 Key Cache
  27. 27. Google Inc. - All Rights Reserved Using a Token Management Server Client Application Token Mgmt Server 1. I need the access token 2. Here you go! O ops! Expired, let m e fetch another one.
  28. 28. Google Inc. - All Rights Reserved Refresh token and access token = Credentials Store them securely! Last Note - Security!
  29. 29. Google Inc. - All Rights Reserved Resources Download links AdWords API OAuth 2.0 Guide Optimizing OAuth 2.0 Requests for AdWords API Google OAuth 2.0 Documentation
  30. 30. Google Inc. - All Rights Reserved Questions?
  31. 31. Google Inc. - All Rights Reserved

×