Skip to first unread message
cv
Mar 22, 2017, 7:57:23 AM3/22/17
to AdWords API Forum
Hello,
I am using Oauth 2.0 for Authentication and I have used Authorization Code Grant and requesting an “offline” scope.
I have refreshtoken with me, based on refreshtoken I am able to get Access Token
Now my client has changed the password 3-4 days ago, but I can still get the data with refreshtoken I have with old password.
Does this right behaviour?
I am thinking If password changed I cannot get data with immediate effect.
This looks like little wired, please let me know what I can do to prevent this?
Thanks,
Sreelakshmi Sasidharan (AdWords API Team)
Mar 22, 2017, 1:48:56 PM3/22/17
to AdWords API Forum
Hi,
The details explained is in sync with the expected behavior.
By following the steps that you have explained, your application did authorize the user during the very first API call. During this call you were required to be logged in as that specific user and grant permission to the API by manually accepting the prompt on the browser. Once this step was completed, the OAuth flow generated refresh token which was saved in our local directory as credential corresponding to the specific user. This refresh token is being used in every subsequent API calls to generate the access token. User authentication for all these calls are done using the refresh token together with the client credentials which were also generated prior to the first call using the specific user Id.
That said, changing the password of your email account should not impact the API calls until you revoke the current refresh token. If you revoke the existing refresh token, you will need to repeat the same steps that you did for your very first API call.
Please let me know if to have any additional questions.
Thanks,
Sreelakshmi, AdWords API Team
Zweitze
Mar 22, 2017, 4:37:34 PM3/22/17
to AdWords API Forum
Sreelakshmi's response is basically correct - and the witnessed behavior is intended.
What you can do:
1. Build a "logout" functionality which revokes the refreshtoken.
2. Tell the user to visit My Google Account web page (login as the intended user) and then follow the link "Connected apps and sites". This page is a true gem! You can withdraw any app or site, each corresponds to a refreshtoken.
If you want to automatically log out when the password changes, that is possible too:
The documentation on expiration of tokens states a refreshtoken also expires when "The user changed passwords and the token contains Gmail scopes.". Remember that when you ask the user to authorize, you pass a scope telling you want to access the AdWords information. You can actually pass multiple scopes and use the same token for multiple APIs. So if you add one of the gmail scopes then all should be OK. The downside is that when authorizing, the user sees that your software not only needs access to his AdWords accounts, but also to his gmail.
Hope this helps.
What you can do:
1. Build a "logout" functionality which revokes the refreshtoken.
2. Tell the user to visit My Google Account web page (login as the intended user) and then follow the link "Connected apps and sites". This page is a true gem! You can withdraw any app or site, each corresponds to a refreshtoken.
If you want to automatically log out when the password changes, that is possible too:
The documentation on expiration of tokens states a refreshtoken also expires when "The user changed passwords and the token contains Gmail scopes.". Remember that when you ask the user to authorize, you pass a scope telling you want to access the AdWords information. You can actually pass multiple scopes and use the same token for multiple APIs. So if you add one of the gmail scopes then all should be OK. The downside is that when authorizing, the user sees that your software not only needs access to his AdWords accounts, but also to his gmail.
Hope this helps.
cv
Mar 24, 2017, 12:26:52 AM3/24/17
to AdWords API Forum
Hello Sreelakshmi/ Zweitze,
Thanks for quick reply.
But this behaviour should not same earlier, I mean earlier if user changes password the API is not give response with saying USER_PERMISSION_DENIED.
This must be same for every scope and not only if we include gmail scope?
Thanks,
Sreelakshmi Sasidharan (AdWords API Team)
Mar 24, 2017, 11:32:54 AM3/24/17
to AdWords API Forum
Hi,
As Zweitze mentioned in his response, unless you are including the gmail scope while authenticating (if you are using a gmail as userId), you should not see any impact by changing your email id password.
The USER_PERMISSION_DENIED error usually occurs if the client account is not linked to the manager account or, in a different scenario if the OAuth credentials do not match the client customer ID that was specified in the request. We have not had any issues reported where the API returned USER_PERMISSION_DENIED while the password of the email account linked was modified. However, if you happen to see this error anytime for the explained scenario, please share the SOAP logs and other details. We would like to investigate it further.
As Zweitze mentioned in his response, unless you are including the gmail scope while authenticating (if you are using a gmail as userId), you should not see any impact by changing your email id password.
The USER_PERMISSION_DENIED error usually occurs if the client account is not linked to the manager account or, in a different scenario if the OAuth credentials do not match the client customer ID that was specified in the request. We have not had any issues reported where the API returned USER_PERMISSION_DENIED while the password of the email account linked was modified. However, if you happen to see this error anytime for the explained scenario, please share the SOAP logs and other details. We would like to investigate it further.
Zweitze
Mar 27, 2017, 5:49:36 AM3/27/17
to AdWords API Forum
OAuth error responses are terrible. I think it only knows two error codes, an expired accesstoken and everything else. This is reflected in client libraries, for instance the .NET client library just throws its response away and throws a general OAuth exception.
In other words, you can't determine why a refreshtoken failed.
In other words, you can't determine why a refreshtoken failed.
Reply all
Reply to author
Forward
0 new messages