Distributing Applications & OAuth Authorisation Credentials

[StewartR]

Hi, 

We have used the API internally for a while and follow the the OAuth Application flow to do so. We have authorised our own MCC and securely store the refresh token which we pass to the API with our developer token with each request. This process is nice and easy because, right now, all the accounts we access are inside our MCC so we can just keep all the credentials locally.

My question relates how we could release an application externally for others to use and which credentials would need to be distributed with the application.

As I understand it there are 2 parts to the OAuth2 application flow:

1. Having the user authorise our application

2. Using credentials obtained from (1) in order to obtain data from the API for the user's adwords account.

For part 1 I understand that I need to direct the user to the https://accounts.google.com/o/oauth2/auth URL with a query parameter providing our application's client-id, yes? Assuming the user gives consent, the application would then capture the authorization code from the redirected page and make a new request to  https://accounts.google.com/o/oauth2/token passing along the authorisation code along with out client-secret in order to obtain a refresh token, yes?

The result of part 1 is a refresh token which could then be stored on the user's machine ready for use in part 2.

For part 2 I need to pass that locally stored refresh token and our developer-token along in order to authenticate the request (which would be handled inside a client library to ease the exchange of refresh token for authorisation token)

Surely this means that our client-Id, client-secret and developer token must all be distributed with the published application? Should they therefore be encrypted in some way or is it safe to store them 'in the clear' and/or just hard-code them? If encryption is required is there client library support for this part? (specifically the .NET client library?)

Many Thanks

[Yin Niu]

Hello, 

Can you clarify what type of application you would like to publish? Are you going to let your user to use the MCC account that you are using right now, which means if they have the credentials, they will be able to access all accounts under this MCC? Or is this going to be a generic application so that the user can configure their own MCC and credentials? 

Thanks,

Yin, AdWords API Team. 

[StewartR]

Hi,

Thanks for your response. This is for a generic application where users would configure their own accounts.

[Stewart Robertson]

Hi,

That doesn't seem right at all. I guess I must not have managed to explain my situation properly? 

Users of the third party tool we are developing should surely be able to use it without having to register an application with the Google console app, sign up for a developer token, etc?

There are many 3rd party applications out there where users just sign in to their own account using the application itself. We want to use that authorization flow.

---

From: adwordsap...@google.com <adwordsap...@google.com>
Sent: 22 January 2016 22:16
To: Stewart Robertson
Cc: AdWords API Forum
Subject: RE: [1-2560000010334] Distributing Applications & OAuth Authorisation Credentials

 

Hi, 

In that case, I would say that you don't need to give out your credentials or tokens. You let user configure the application. 

Thanks,

Yin Niu, AdWords API Team. 

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Search Laboratory Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error.

Search Laboratory is registered in England, no. 5608449. Registered address: The Blokhaus, West Park Ring Road, Leeds, LS16 6QG, UK.