Help with authentication exception

[Judah Wright]

This question is a cross-post of an issue on the Github googleads/google-ads-php library, I was told to follow up here for more help.

I am working to get a product integrated with the Google Ads Conversion Actions. We are attempting to add new conversion actions via the Google Ads API (v2). We have followed the instructions for such an action, as documented here.

Of course our code looks a little different, so here is an excerpt of it:

// An oAuth token previously obtained. We do have a refresh token. 
// This token has been granted the following scope: 
// https://www.googleapis.com/auth/adwords 
// as documented at: 
// https://developers.google.com/adwords/api/docs/guides/authentication 
$oAuth2Credential = (new OAuth2TokenBuilder()) 
  ->withClientId('REDACTED') 
  ->withClientSecret('REDACTED') 
  ->withRefreshToken('REDACTED') 
  ->build(); 

// The ID of the client website 
// The user granting us their oAuth token has full access to this property 
// Our MCC account also has full permissions for this account for good measure
$customerId = 'xxx-xxx-xxxx'; 

$googleAdsClient = (new GoogleAdsClientBuilder()) 

  // This developer token was obtained from our MCC account, as documented here: 
  // https://developers.google.com/google-ads/api/docs/first-call/dev-token 
  ->withDeveloperToken('REDACTED') 
  ->withLoginCustomerId($customerId) 

  ->withOAuth2Credential($oAuth2Credential) 
  ->build(); 

// Just setting up a test conversion action
$conversionAction = (new ConversionAction()) 
  ->setName((new StringValue())->setValue('TEST LABEL')) 
  ->setCategory(ConversionActionCategory::PBDEFAULT) 
  ->setType(ConversionActionType::WEBPAGE) 
  ->setStatus(ConversionActionStatus::ENABLED) 
  ->setValueSettings( 
    (new ValueSettings()) 
      ->setAlwaysUseDefaultValue((new BoolValue())->setValue(true)) 
      ->setDefaultValue((new DoubleValue())->setValue(0.0)) 
  ); 

// Issues a mutate request to add the conversion action. 
$conversionActionServiceClient = $googleAdsClient->getConversionActionServiceClient(); 
$response = $conversionActionServiceClient->mutateConversionActions( 
  $customerId, [(new ConversionActionOperation())->setCreate($conversionAction)] 
); 
// That causes the exception we are seeing

At that last function call, we get an authentication exception that looks like this:

Google\ApiCore\ApiException : { 
  "message": "Request had insufficient authentication scopes.", 
  "code": 7, 
  "status": 
  "PERMISSION_DENIED", 
  "details": [] 
}

Now as far as we can tell, all the pieces are properly authorized. Any pointers? Anything obvious we are doing wrong?

[Google Ads API Forum Advisor Prod]

Hi Judah,

Can you please reply privately to author your API call request and response so I can take a closer look?

Thanks,
Anthony
Google Ads API Team

ref:_00D1U1174p._5001UV0Mwm:ref

[Judah Wright]

I used a debugger to try to pull apart the library to see what requests it was making under the hood, but after several minutes of fiddling I couldn't seem to get the raw request out of it. How would I go about getting the raw API call?

I am not interacting with the API directly, but I am using the official Google Ads PHP library. Whatever it is doing, that is what I am doing.

Is there maybe a debug mode?

~Judah

[Google Ads API Forum Advisor Prod]

Hi Judah,

You will need to follow up on your thread with the client library owners to see if there is a debug mode for the PHP library. 

[Judah Wright]

Sounds good. I posted a reply asking if there was any way to troubleshoot.

[Judah Wright]

The kind folks over on the library Github page linked me to the docs on how to enable logging within the library.

After doing so, this is what appeared in the system log:

[2020-02-12 15:39:45] local.ERROR: {

    "message": "Request had insufficient authentication scopes.",
    "code": 7,
    "status": "PERMISSION_DENIED",
    "details": []

} {"exception":"[object] (Google\\ApiCore\\ApiException(code: 7): {
    \"message\": \"Request had insufficient authentication scopes.\",

    \"code\": 7,
    \"status\": \"PERMISSION_DENIED\",

    \"details\": []
} at /redacted/vendor/google/gax/src/ApiException.php:139)

This library does not appear to be logging any service calls. A quote from "fiboknacky":

Thanks for trying. Could you please continue communicating with the agent on the forum? Thanks.

How do we move forward from here?

[Google Ads API Forum Advisor Prod]

Hello Judah,

The PERMISSION_DENIED error typically happens when there is no link between your manager and client account or if your OAuth credentials are for a user who does not have access to the client customer ID specified or any of its manager accounts.

To further investigate this, can you try to get the requestId from your API call? Please reply privately to author with this information. 

[Judah Wright]

I followed up privately with the headers and body of the response I got. I can't seem to figure out how to get the raw request, and I don't see any documentation on fetching a "requestId".