oauth 2.0 refresher talk

OAuth 2.0

+Paul Matthews, Google, Inc.

1. What is OAuth 2.0?

2. Preparation

3. Obtain an Access Token

4. Detail of OAuth 2.0 flows

5. Best practice

Agenda

What is OAuth 2.0?

● Authorization for AdWords API

● Secure

● Simple

● Standard

● No Usernames or Passwords

● Only Tokens

● Specific Access Control

● Restrict Scope

● Easily revoke

The security of OAuth2

The simplicity of OAuth2

Interact with the AdWords API

Get AccessAsk approval

The standard of OAuth2

● Have you seen the dialog?

● User Consent

● Accept

● Cancel

2) Accept Consent

3) Exchange Code

The OAuth2 Flow

Your Application

The MCC User

Google Servers

1) Build URL 4) Make Request 5) Refresh Access

OAuth2 Servers

The AdWords API

Grant Access Interact with the AdWords API

● refresh_token

● Regenerates access_token

● Lifetime indefinite

● Store it!

● access_token

● For making requests

● Lifetime 00:60

Access comes with 2 Tokens

● refresh_token

● Store it!

● access_token

● Lifetime 00:60

● access_token

● Lifetime 00:60

● refresh_token

● Store it!

Preparation

http://code.google.com/apis/console

● Get an application identifier● client_id● client_secret

Register your application

Create a new project at Google API Console

Create an OAuth 2.0 client ID

Web server or installed application?

Choose Installed application unless you have many client accounts that need authorization.

Choose Web server application when using many separately authorized accounts.

Installed Application

Choose your application type

Now, you have client_id and client_secret

Obtain Accessaccess_token & refresh_token

Why an Access Token?

Get Access & Refresh TokensAsk approval

With or without Client Libraries

● With Client Libraries

● Without Client Libraries

● Check your library for details!

● Example:

● Run script

● Authorize application

● Add refresh_token to config

Client Libraries can Help

1. Construct URL

2. Obtain Consent

3. Receive Authorization Code

4. Exchange Code for Token

5. Store credentials

How to get an Access Token

https://accounts.google.com/o/oauth2/auth?

access_type=offline&

scope=https://adwords.google.com/api/adwords&

redirect_uri=urn:ietf:wg:oauth:2.0:oob&

response_type=code&

client_id=xxxxxxx.apps.googleusercontent.com

1. Construct a URL

● Send User

● Accept permissions

2. Obtain Consent

> Enter authorization code here:

4/v6xr77ewYqhvHSyW6UJ1w7jKwAzu

3. Receive Authorization Code

POST /o/oauth2/token HTTP/1.1 Host: accounts.google.com Content-Type: application/x-www-form-urlencoded code=4/v6xr77ewYqhvHSyW6UJ1w7jKwAzu& client_id=xxxxxxx.apps.googleusercontent.com& client_secret={client_secret}& redirect_uri=& grant_type=authorization_code

4. Exchange Code for Token

{"access_token" : "yaxx.xxxxxxxxxxxx","token_type" : "Bearer","expires_in" : 3600,"refresh_token" : "1/xxxxxxxxxxxxxxxxxxxg"

5. Store credentials

Detail of OAuth 2.0 Flows

Google supports common OAuth 2.0 scenarios

● Installed applications

● Web server applications

● Applications on limited-input devices

OAuth 2.0 Flows Google Supports

Differences Between Flows

Registration to API Console

Use Authentication Code

Client Secret

Refresh Token

Redirection

Installed applications

Required Yes Required Available URL, Text

Web server applications

Required Yes Required Available URL

Applications on limited-input device

Required - Required Available -

Choose offline access when your applications works while a data owner is not in front of your application

Offline access is good for typical AdWords API client which access Google Server to fetch user data and set value in background.

Offline or Online?

Best Practices

● Use offline as access type to get a refresh_token

● Store refresh_token to get a new access_token

● Use the MCC structure

● Authorize the top MCC

Best Practices

Storing & Sharing

● Storing Access Tokens

● Store the timestamp

● Sharing Access Tokens Between Threads

● AuthenticationError.OAUTH_TOKEN_INVALID○ On: Access Token expired○ Resolution: get a new Access Token with Refresh token

● AuthenticationError.INVALID_GRANT_ERROR○ On: Refresh Token revoked○ Resolution: re-auth app with user consent

Useful information for Errors

Appendix

Resources

Docs Links:

https://developers.google.com/accounts/docs/OAuth2

https://developers.google.com/accounts/docs/OAuth2WebServer

https://developers.google.com/accounts/docs/OAuth2InstalledApp

https://developers.google.com/adwords/api/docs/authentication#oauth

https://code.google.com/apis/console

Resources

Questions?

oauth 2.0 refresher talk

Technology

oauth: trust issues

everything oauth

implementing oauth

oauth protokol -...

oauth test

the oauth 2.0 authorization protocol - cleesh.com · the...

oauth 2.0 refresher

introduction to oauth

mastering oauth 2 - adobe inc.€¦ · leveraging the oauth...

wordpress + oauth

h. tschofenig oauth 2.0 security: oauth open redirector ·...

oauth passport

「金融api向けoauth」にみるoauthプロファイリングの実際...

the essential oauth primer: understanding oauth for securing...

the essential oauth primer: understanding oauth for securing...

oauth hacks a gentle introduction to oauth 2 and apache oltu

twitter oauth

understanding oauth 2.0

entendiendo oauth

some oauth love