"error": "unauthorized_client"

[Tim Johnson]

Hi,

I am testing what will be a web app auth flow.

I have created an MCC account, and also have a google developer client ID and secret.  I go through the web app flow that I mimic via the Google Sandbox token process. From this process, I am able to get a refresh token.  I attempt to run a simply get campaigns script in PHP, and receive the following error:

Client error: `POST https://www.googleapis.com/oauth2/v4/token` resulted in a `401 Unauthorized` response:

{

 "error": "unauthorized_client",

 "error_description": "Unauthorized"

}

My client-id is not associated with a "service account"; it is a regular account which I use for other Google apis.  Basically, i am looking for a simply login flow to allow multiple, independent users to grant me access to their accounts. My questions are as follows:

1. Do I need to get a service account if I don't mind it Google asking the user to allow for me to have access to their account when getting a authorization code?

2. Can I simply go through "installed app" procedure as is recommended?

Please let me know if you need me to clarify any steps; thank you very much in advance.

Thanks,
Tim

[Vincent Racaza (AdWords API Team)]

Hi Tim,

If you are using a web application type of authentication, then your app requires callback URLs. You are also generating a client ID based on your web application primarily. Could you confirm if this is indeed the nature of your application? To know more regarding the difference between web application and installed application types, kindly refer here. Also, for your issue in web application type (if you can confirm that this is really your application type based on the nature of your application), please ensure that you followed the steps here.

Furthermore, based on your description (regular account which you also used in other Google APIs) of your client ID, then the recommended application type for you is installed application. You also don't need to authenticate as service account as this requires GSuite domains. For installed application type, kindly generate a new client ID and secret by following the instructions here.

Let me know if you encounter any issues after doing the suggestion.

Thanks,

Vincent

AdWords API Team

[Tim Johnson]

Hi Vincent,

Thanks very much for the prompt reply; I really appreciate it.

Concerning the nature of the application: I believe it is a installed app under that definition, but it depends on your definition of callback.  I will need users to redirect back to my page after the click a button to authorize access (as specified in the redirect_uri).  So in that sense, it will need a callback.  However, other than that: no it will not need a callback.  After they grant my app access to adwords, I will redirect to the site and my app will use that code to get a refresh token in the background.  From them onwards, I intend on making API calls to their behalf in the back-end of my program.

So am i correct in assuming this is then an installed app.  And then if so, how do I handle several users- is the "ClientCustomerId" needed for every call.  Is the refresh token not enough to verify specific calls to specific campaigns and adsets? 

Cheers,

Greg

[Vincent Racaza (AdWords API Team)]

Hi Greg,

Thanks for the clarification.

From your detailed explanation, it seems that you need to use a web application flow since you have a redirect URIs or callbacks. That said, kindly generate your client ID and secret again using the web application type. Also, you need to configure your client library for web app flow.

Follow the steps above first and let me know if you encounter any issues. Also, both installed app and web application type require a clientCustomerId in every call except CustomerService and ReportDefinitionService. You can check here for more details regarding the underlying API call structure.