OAuth 2.0
Transcript of OAuth 2.0
Google Confidential and Proprietary
OAuth 2.0Life after ClientLogin
Google Confidential and Proprietary
● Why migrate from ClientLogin?
● What is OAuth 2.0?
● Using OAuth 2.0
○ Google APIs Console
○ Web Server Flow
● A code example
● Further Info
● Q&A
Agenda
Google Confidential and Proprietary
● Exposes username/passwords for MCC and client accounts.
● AuthTokens duration 2 weeks○ No way to revoke issued tokens
● Sunset by 2015○ Might be sooner○ Deprecated since last year
Why migrate from ClientLogin?
More info - https://developers.google.com/accounts/docs/AuthForInstalledApps
Google Confidential and Proprietary
● More secure
○ Does not expose password/username
○ Only exchange OAuth tokens
● More specific access control
○ Tokens can have restricted scope on data
○ Can easily revoke a token
○ Reduced impact if token compromised
● No CAPTCHA challenges.
What is OAuth 2.0?
Better than ClientLogin
Google Confidential and Proprietary
The Flow
● Setting up access○ Mcc: Register Application
● Using the Authentication○ Make token request
■ Ask for user's consent○ Exchange code for access token
■ Save the refresh token○ Call the API
● When a token expires○ Refresh the access token
User Interaction | Programmatic
What is OAuth 2.0?
Google Confidential and Proprietary
What is OAuth 2.0?
More info - https://developers.google.com/accounts/docs/OAuth2
Google Confidential and Proprietary
1. Create an project in Google APIs Consolea. Generate the client_id and client_secret
2. Use client lib to access OAuth 2.0 "Web Server Flow"
3. Save the refreshToken
4. Use the accessToken to make API calls
5. When the accessToken expires, re-use the refreshToken to get more accessTokens
The Steps
Using OAuth 2.0
Google Confidential and Proprietary
Google APIs Console
Go to https://code.google.com/apis/console and create a new
project
Google APIs Console
Google Confidential and Proprietary
Google APIs Console
You might need to register a Redirect URI, depending on how you want to use the clientlibs
Google APIs Console
Google Confidential and Proprietary
Then create your OAuth 2.0 client_id and client_secret, which you will need to make OAuth 2.0 calls.
Google APIs Console
Google Confidential and Proprietary
Basic coding steps
1. Send a request to the Google Authorization Server, with:a. scope - https://adwords.google.com/api/adwordsb. the client_id
2. This opens a browser, with a Google webpage, that allows you to:a. login with your MCC or client account credentialsb. authorize access to the given scope
3. This returns the accessToken and refreshToken to your app
Web Server Flow
More info - https://developers.google.com/accounts/docs/OAuth2WebServer
Google Confidential and Proprietary
accessToken
● Access for ~ 1 hour
● Then expires
Basic coding steps
Google Confidential and Proprietary
accessToken
● Access for ~ 1 hour
● Then expires
Basic coding steps
refreshToken
● Regenerates accessTokens● No user interaction
User Interaction | Programmatic
Google Confidential and Proprietary
accessToken
● Access for ~ 1 hour
● Then expires
Basic coding steps
refreshToken
● Regenerates accessTokens● No user interaction
● Be sure to store it
User Interaction | Programmatic
Google Confidential and Proprietary
public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY); // set up authorization code flow ...
// actually authorize ...}
Sample code - authorize()
Google Confidential and Proprietary
public Credential authorize() throws Exception { // set up file credential store to save/load tokens FileCredentialStore credentialStore = new FileCredentialStore( new File("~/Desktop/oauth.json"),JSON_FACTORY);
// set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build();
// actually authorize ...}
Sample code - authorize()
Google Confidential and Proprietary
public Credential authorize() throws Exception { // set up file credential store to save/load tokens ...
// set up authorization code flow GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow .Builder(HTTP_TRANSPORT, JSON_FACTORY, CLIENT_ID, CLIENT_SECRET, AWAPI_SCOPE) .setCredentialStore(credentialStore) .build();
// actually authorize return new AuthorizationCodeInstalledApp( flow, new LocalServerReceiver()) .authorize("user");}
Sample code - authorize()
Google Confidential and Proprietary
// Construct AdWordsSession objectAdWordsSession session = new AdWordsSession .Builder()
.fromFile()
.withOAuth2Credential(credential)
.build();
// Construct AdWordsServices objectAdWordsServices adWordsServices = new AdWordsServices();
Sample code - connect()
Full sample code can be found here - http://goo.gl/s6nmR
Google Confidential and Proprietary
Installed App Flow and Web Server Flow
● Web Server Flow○ Constent: Browser for consent○ Response: Redirects user to callback endpoint
● Installed App Flow○ Consent: URL provided - user pastes into browser○ Response: Display code - user paste into app
OR○ Consent: URL Provided - in app browser○ Response: Captures code - app returns to auth server
Futher Info
User Interaction | Programmatic
Google Confidential and Proprietary
OAuth 2.0 Best Practices
● Use the refreshToken only on expiry
● Store the refreshToken for re-use○ To reduce user interaction
● clientCustomerId only for reports○ Recommended for all
Further Info
Google Confidential and Proprietary
Token expiration and refresh
● Error: AuthenticationError.OAUTH_TOKEN_INVALID○ On: accessToken expired○ Resolution: use refreshToken
● Error: AuthenticationError.INVALID_GRANT_ERROR○ On: accessToken revoked○ Resolution: re-auth app with user consent
Further Info
User Interaction | Programmatic
Q&A
Google Confidential and Proprietary
Docs Links:
https://developers.google.com/accounts/docs/AuthForInstalledApps
https://developers.google.com/accounts/docs/OAuth2
https://developers.google.com/accounts/docs/OAuth2WebServer
Request client_id & client_secret:
https://code.google.com/apis/console
Code:
http://goo.gl/s6nmR
Resources