OAuth 2.0

Google Confidential and Proprietary

OAuth 2.0Life after ClientLogin


● Why migrate from ClientLogin?

● What is OAuth 2.0?

● Using OAuth 2.0

○ Google APIs Console

○ Web Server Flow

● A code example

● Further Info

● Q&A

Agenda


● Exposes username/passwords for MCC and client accounts.

● AuthTokens duration 2 weeks○ No way to revoke issued tokens

● Sunset by 2015○ Might be sooner○ Deprecated since last year

Why migrate from ClientLogin?

More info - https://developers.google.com/accounts/docs/AuthForInstalledApps


● More secure

○ Does not expose password/username

○ Only exchange OAuth tokens

● More specific access control

○ Tokens can have restricted scope on data

○ Can easily revoke a token

○ Reduced impact if token compromised

● No CAPTCHA challenges.

What is OAuth 2.0?

Better than ClientLogin


The Flow

● Setting up access○ Mcc: Register Application

● Using the Authentication○ Make token request

■ Ask for user's consent○ Exchange code for access token

■ Save the refresh token○ Call the API

● When a token expires○ Refresh the access token

User Interaction | Programmatic

What is OAuth 2.0?


What is OAuth 2.0?

More info - https://developers.google.com/accounts/docs/OAuth2


1. Create an project in Google APIs Consolea. Generate the client_id and client_secret

2. Use client lib to access OAuth 2.0 "Web Server Flow"

3. Save the refreshToken

4. Use the accessToken to make API calls

5. When the accessToken expires, re-use the refreshToken to get more accessTokens

The Steps

Using OAuth 2.0


Google APIs Console

Go to https://code.google.com/apis/console and create a new

project

Google APIs Console


Google APIs Console

You might need to register a Redirect URI, depending on how you want to use the clientlibs

Google APIs Console


Then create your OAuth 2.0 client_id and client_secret, which you will need to make OAuth 2.0 calls.

Google APIs Console


Basic coding steps

1. Send a request to the Google Authorization Server, with:a. scope - https://adwords.google.com/api/adwordsb. the client_id

2. This opens a browser, with a Google webpage, that allows you to:a. login with your MCC or client account credentialsb. authorize access to the given scope

3. This returns the accessToken and refreshToken to your app

Web Server Flow

More info - https://developers.google.com/accounts/docs/OAuth2WebServer


accessToken

● Access for ~ 1 hour

● Then expires

Basic coding steps


accessToken


● Then expires

Basic coding steps

refreshToken

● Regenerates accessTokens● No user interaction



accessToken


● Then expires

Basic coding steps

refreshToken

● Regenerates accessTokens● No user interaction

● Be sure to store it



public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow ...

// actually authorize ...}

Sample code - authorize()


public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY);

// set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build();

// actually authorize ...}



public Credential authorize() throws Exception { // set up file credential store to save/load tokens ...

// set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build();

// actually authorize return new AuthorizationCodeInstalledApp( flow, new LocalServerReceiver()) .authorize("user");}



// Construct AdWordsSession objectAdWordsSession session = new AdWordsSession .Builder()

.fromFile()

.withOAuth2Credential(credential)

.build();

// Construct AdWordsServices objectAdWordsServices adWordsServices = new AdWordsServices();

Sample code - connect()

Full sample code can be found here - http://goo.gl/s6nmR


Installed App Flow and Web Server Flow

● Web Server Flow○ Constent: Browser for consent○ Response: Redirects user to callback endpoint

● Installed App Flow○ Consent: URL provided - user pastes into browser○ Response: Display code - user paste into app

OR○ Consent: URL Provided - in app browser○ Response: Captures code - app returns to auth server

Futher Info



OAuth 2.0 Best Practices

● Use the refreshToken only on expiry

● Store the refreshToken for re-use○ To reduce user interaction

● clientCustomerId only for reports○ Recommended for all

Further Info


Token expiration and refresh

● Error: AuthenticationError.OAUTH_TOKEN_INVALID○ On: accessToken expired○ Resolution: use refreshToken

● Error: AuthenticationError.INVALID_GRANT_ERROR○ On: accessToken revoked○ Resolution: re-auth app with user consent

Further Info



Docs Links:

https://developers.google.com/accounts/docs/AuthForInstalledApps

https://developers.google.com/accounts/docs/OAuth2

https://developers.google.com/accounts/docs/OAuth2WebServer

Request client_id & client_secret:

https://code.google.com/apis/console

Code:

http://goo.gl/s6nmR

Resources

OAuth 2.0

Documents

Transcript of OAuth 2.0