AdWords API & OAuth 2.0, Advanced
-
Upload
marcwan -
Category
Technology
-
view
665 -
download
3
description
Transcript of AdWords API & OAuth 2.0, Advanced
![Page 1: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/1.jpg)
Google Inc - All Rights Reserved
![Page 2: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/2.jpg)
AdWords API - Using OAuth 2.0Advanced usage
Ray Tsang, Google, Inc.Danial Klimkin, Google, Inc.
![Page 3: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/3.jpg)
Agenda
● Hopefully you are already using OAuth 2.0!
● Issue with unoptimized OAuth 2.0 requests
● Solutions
● Resources
![Page 4: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/4.jpg)
Google Inc. - All Rights Reserved
RefresherOAuth 2.0????
![Page 5: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/5.jpg)
Google Inc. - All Rights Reserved
ClientLogin is going away
You must migrate to OAuth 2.0 ASAP
ClientLogin is Going Away!
![Page 6: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/6.jpg)
Google Inc. - All Rights Reserved
Secure○ Users enter their username/password in secure Google login page○ Third-party application won’t receive nor store the password○ Reduced impact if OAuth 2.0 access is compromised
More Control○ Restrict access via “scopes”○ User can revoke access at will
Standards driven○ RFC 6749○ Used by many large service providers, including Google
Why OAuth 2.0?
![Page 7: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/7.jpg)
Google Inc. - All Rights Reserved
Already using OAuth 2.0?Great to hear! Watch out for some common issues
![Page 8: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/8.jpg)
Google Inc. - All Rights Reserved
Access Token Expiration
Anticipate the possibility that a granted token might no longer work
○ The access token has expired (expires_in value)○ The user has revoked access○ The account has exceeded a certain number of active token
for the same application
![Page 9: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/9.jpg)
Google Inc. - All Rights Reserved
The refresh token expired if unused for six months.
25 refresh token limit per user per application○ When exceeded, oldest refresh token is quietly invalidated ○ no user-visible warning - your application need to handle this
You should only need one refresh token per user
Refresh Token Expiration
![Page 10: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/10.jpg)
Google Inc. - All Rights Reserved
When an access token has expired or revoked:
AuthenticationError.OAUTH_TOKEN_INVALID
Cause: access token expiredResolution: get a new access token with the refresh token
AuthenticationError.INVALID_GRANT_ERRORCause: access revokedResolution: re-authorize via the authorization URL (the consent screen)
Common Errors
![Page 11: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/11.jpg)
Google Inc. - All Rights Reserved
Revoking Access
![Page 12: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/12.jpg)
Google Inc. - All Rights Reserved
Rate Limits
There is a rate limit for obtaining the access token
QPS may change over time based on different conditions
Beware in multi-threaded and/or multi-server environment
Be ready for it in Production!
![Page 13: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/13.jpg)
Google Inc. - All Rights Reserved
Multithreaded Environment
Client Application
Thread 1
Thread 2
Thread N
.
.
.
I have a refresh token, I need an access token!
I have a refresh token, I need an access token!
I have a refresh token, I need an access token!
![Page 14: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/14.jpg)
Google Inc. - All Rights Reserved
Multi-Server / Multi-Process Environment
Client Application
.
.
.
I have a refresh token, I need an access token!
I have a refresh token, I need an access token!
I have a refresh token, I need an access token!
Client Application
Client Application
![Page 15: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/15.jpg)
Google Inc. - All Rights Reserved
Client ApplicationClient Application
Put Them Together
Client Application
Thread 1
Thread 2
Thread N
.
.
.
![Page 16: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/16.jpg)
Google Inc. - All Rights Reserved
What’s Your Platform Like?
.Net
![Page 17: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/17.jpg)
Google Inc. - All Rights Reserved
Sharing the access tokenSharing is caring
![Page 18: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/18.jpg)
Google Inc. - All Rights Reserved
Share the token and the expiration time
Access token
Calculated expiration time
12
6
39
T1
expires_in
Te
![Page 19: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/19.jpg)
Google Inc. - All Rights Reserved
Multithreaded platforms can share data among threads
Must be thread-safe
Use the singleton pattern
Use a Singleton
Credential object in Java can be shared
![Page 20: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/20.jpg)
Google Inc. - All Rights Reserved
Minimize Access Token Requests
Client Application
Thread 1
Thread 2
Thread N
.
.
.
I have a refresh token, I need an access token!
I’ll re-use the Credential
I’ll re-use the Credential
![Page 21: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/21.jpg)
Google Inc. - All Rights Reserved
Minimize the number of initial access token requests is half the problem
When access token expires - minimize refresh requests!
Handling Expiration
Credential object in Java handles expiration
![Page 22: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/22.jpg)
Google Inc. - All Rights Reserved
Use a shared storage○ In-memory: Memcached, Infinispan, Ehcache, ...○ Persistent: RDBMS, MongoDB, …
Store securely!
Don’t forget to check for expirations
Use Shared storage
![Page 23: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/23.jpg)
Google Inc. - All Rights Reserved
Using a Shared Storage
Client Application
.
.
.
Client Application
Shared Storage
1. Check if unexpired access token is already in the shared storage
Client Application 2. If expired, use the refresh token
to get an access token
3. Write the credential back to the shared storage
4. Check if unexpired access token
is already in the shared storage
![Page 24: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/24.jpg)
Google Inc. - All Rights Reserved
Worst case scenario: All processes simultaneously read expired access token from the shared storage
● Avoid race conditions● Eagerly refresh stored credentials before it expires
○ e.g., If access token expires in 1 hr, refresh in 45 minutes
Proactive Refresh
Make sure server clocks are in sync (use NTP)
![Page 25: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/25.jpg)
Google Inc. - All Rights Reserved
Proactive Refresh
Client ApplicationShared Storage
Check if unexpired access token is already in the shared storage
Periodic Refresher1. Use the refresh token to get a new access token
2. Write the credential back to
the shared storage
![Page 26: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/26.jpg)
Google Inc. - All Rights Reserved
Centralize OAuth 2.0 access token management○ Retrieval○ Refresh○ Storage
Service-oriented approach
OAuth 2.0 Token Management Server
Example - OAuth 2.0 Key Cache
![Page 27: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/27.jpg)
Google Inc. - All Rights Reserved
Using a Token Management Server
Client Application Token Mgmt Server1. I need the access token
2. Here you go!
Oops!
Expire
d, let
me f
etch
anoth
er on
e.
![Page 28: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/28.jpg)
Google Inc. - All Rights Reserved
Refresh token and access token = Credentials
Store them securely!
Last Note - Security!
![Page 29: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/29.jpg)
Google Inc. - All Rights Reserved
Resources
Download links
AdWords API OAuth 2.0 GuideOptimizing OAuth 2.0 Requests for AdWords APIGoogle OAuth 2.0 Documentation
![Page 30: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/30.jpg)
Google Inc. - All Rights Reserved
Questions?
![Page 31: AdWords API & OAuth 2.0, Advanced](https://reader034.fdocuments.net/reader034/viewer/2022051014/54bf19844a7959b9438b4575/html5/thumbnails/31.jpg)
Google Inc. - All Rights Reserved