oauth 2.0 refresher talk

42
AdWords API Workshops – All rights reserved

Upload: marcwan

Post on 06-May-2015

865 views

Category:

Technology


25 download

DESCRIPTION

AdWords API and using OAuth 2.0 — Client Login is going away.

TRANSCRIPT

Page 1: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Page 2: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

OAuth 2.0

+Paul Matthews, Google, Inc.

Page 3: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

1. What is OAuth 2.0?

2. Preparation

3. Obtain an Access Token

4. Detail of OAuth 2.0 flows

5. Best practice

Agenda

1

2

3

4

5

Page 4: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

What is OAuth 2.0?

Page 5: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

What is OAuth 2.0?

● Authorization for AdWords API

● Secure

● Simple

● Standard

Page 6: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

● No Usernames or Passwords

● Only Tokens

● Specific Access Control

● Restrict Scope

● Easily revoke

The security of OAuth2

Page 7: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

The simplicity of OAuth2

Interact with the AdWords API

Get AccessAsk approval

Page 8: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

The standard of OAuth2

● Have you seen the dialog?

● User Consent

● Accept

● Cancel

Page 9: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

2) Accept Consent

3) Exchange Code

The OAuth2 Flow

Your Application

The MCC User

Google Servers

1) Build URL 4) Make Request 5) Refresh Access

OAuth2 Servers

The AdWords API

Grant Access Interact with the AdWords API

Page 10: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

● refresh_token

● Regenerates access_token

● Lifetime indefinite

● Store it!

● access_token

● For making requests

● Lifetime 00:60

Access comes with 2 Tokens

Page 11: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

● refresh_token

● Regenerates access_token

● Lifetime indefinite

● Store it!

● access_token

● For making requests

● Lifetime 00:60

Access comes with 2 Tokens

Page 12: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

● access_token

● For making requests

● Lifetime 00:60

Access comes with 2 Tokens

● refresh_token

● Regenerates access_token

● Lifetime indefinite

● Store it!

Page 13: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Preparation

Page 14: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

http://code.google.com/apis/console

● Get an application identifier● client_id● client_secret

Register your application

Page 15: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Create a new project at Google API Console

Page 16: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Create an OAuth 2.0 client ID

Page 17: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Web server or installed application?

Choose Installed application unless you have many client accounts that need authorization.

Choose Web server application when using many separately authorized accounts.

Page 18: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Installed Application

Choose your application type

Page 19: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Now, you have client_id and client_secret

Page 20: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Obtain Accessaccess_token & refresh_token

Page 21: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Why an Access Token?

Get Access & Refresh TokensAsk approval

Page 22: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

With or without Client Libraries

● With Client Libraries

● Without Client Libraries

Page 23: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

● Check your library for details!

● Example:

● Run script

● Authorize application

● Add refresh_token to config

Client Libraries can Help

Page 24: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

1. Construct URL

2. Obtain Consent

3. Receive Authorization Code

4. Exchange Code for Token

5. Store credentials

How to get an Access Token

Page 25: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

https://accounts.google.com/o/oauth2/auth?

access_type=offline&

scope=https://adwords.google.com/api/adwords&

redirect_uri=urn:ietf:wg:oauth:2.0:oob&

response_type=code&

client_id=xxxxxxx.apps.googleusercontent.com

1. Construct a URL

Page 26: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

● Send User

● Accept permissions

2. Obtain Consent

Page 27: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

> Enter authorization code here:

4/v6xr77ewYqhvHSyW6UJ1w7jKwAzu

3. Receive Authorization Code

Page 28: OAuth 2.0 refresher Talk

HTML

AdWords API Workshops – All rights reserved

POST /o/oauth2/token HTTP/1.1 Host: accounts.google.com Content-Type: application/x-www-form-urlencoded code=4/v6xr77ewYqhvHSyW6UJ1w7jKwAzu& client_id=xxxxxxx.apps.googleusercontent.com& client_secret={client_secret}& redirect_uri=& grant_type=authorization_code

4. Exchange Code for Token

Page 29: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

{"access_token" : "yaxx.xxxxxxxxxxxx","token_type" : "Bearer","expires_in" : 3600,"refresh_token" : "1/xxxxxxxxxxxxxxxxxxxg"

}

5. Store credentials

Page 30: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Detail of OAuth 2.0 Flows

Page 31: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Google supports common OAuth 2.0 scenarios

● Installed applications

● Web server applications

● Applications on limited-input devices

OAuth 2.0 Flows Google Supports

Page 32: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Differences Between Flows

Registration to API Console

Registration to API Console

Use Authentication Code

Client Secret

Refresh Token

Redirection

Installed applications

Required Yes Required Available URL, Text

Web server applications

Required Yes Required Available URL

Applications on limited-input device

Required - Required Available -

Page 33: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Choose offline access when your applications works while a data owner is not in front of your application

Offline access is good for typical AdWords API client which access Google Server to fetch user data and set value in background.

Offline or Online?

Page 34: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Best Practices

Page 35: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

● Use offline as access type to get a refresh_token

● Store refresh_token to get a new access_token

● Use the MCC structure

● Authorize the top MCC

Best Practices

Page 36: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Storing & Sharing

● Storing Access Tokens

● Store the timestamp

● Sharing Access Tokens Between Threads

Page 37: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

● AuthenticationError.OAUTH_TOKEN_INVALID○ On: Access Token expired○ Resolution: get a new Access Token with Refresh token

● AuthenticationError.INVALID_GRANT_ERROR○ On: Refresh Token revoked○ Resolution: re-auth app with user consent

Useful information for Errors

Page 38: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Appendix

Page 39: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Resources

Page 41: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved

Questions?

Page 42: OAuth 2.0 refresher Talk

AdWords API Workshops – All rights reserved