Create customer account using by ads API

152 views
Skip to first unread message

Myung Ju Park

unread,
Mar 27, 2019, 5:37:07 AM3/27/19
to AdWords API and Google Ads API Forum

Hi,


I'm doing to implementation for Google ads automation system through by Google APIs.

My code is referenced to documents of Google Ads API. ( https://github.com/googleads/googleads-php-lib/blob/master/examples/AdWords/v201809/AccountManagement/CreateAccount.php )

I have a two ideas for implementation it.

However, when I execution my code then I can seeing some problem (AuthorizationError.USER_PERMISSION_DENIED).

So I wish your review and evaluation about it.


1. common configurations.

First, I made 'client ID' and 'client secret' from "Google API Console Credentials page.".

This values is 11111111111-aaaaaaaaaaaaaaaaa.apps.googleusercontent.com (client ID) and bbbbbbbbbbbbbbbb (client secret).

Second, I finished to confirm and received the developer token from Google.

This value is "cccccccccccccc_ddddd".

Third, I sended to MCA (Multi-client account) request to Google for using my merchant center and I got approved it.


My client customer id for Google Ads API is 111-222-3333.


- preconditions for below two ideas.

Alice : customer of this service (al...@google.com)

Service : partner of Google (service...@google.com) <-- implemented code


2. Idea 1

First, creating Google Ads account to using Alice's refresh token.

So, Service called by grantOfflineAccess() from gapi.auth2.getAuthInstance() of javascript for got Alice's offline code.

Before at this time, Service called gapi.client.init().

"apiKey" property value is "yyyyyyyyyyyyyyyyyy_zzzzzzzzzzzzzzzzzzzzzz" in gapi.client.init() function.

And the after, Service thrown by Alice's offline code to background process.

- code -

<script>

var GoogleAuth;
var SCOPE = "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/siteverification https://www.googleapis.com/auth/content https://www.googleapis.com/auth/adwords";
var offlineCode;

gapi.client.init({         'apiKey': 'yyyyyyyyyyyyyyyyyy_zzzzzzzzzzzzzzzzzzzzz',
        'discoveryDocs': ["https://www.googleapis.com/discovery/v1/apis/drive/v3/rest"],
        'clientId': '11111111111-aaaaaaaaaaaaaaaaa.apps.googleusercontent.com',
        "prompt" : "consent",
        'scope': SCOPE
}).then(function () {
        GoogleAuth = gapi.auth2.getAuthInstance();
        GoogleAuth.isSignedIn.listen(updateSigninStatus);

        $('#btnGoogleSignIn').click(function() {
                handleAuthClick();
        });
});

function handleAuthClick()
{
        if (GoogleAuth.isSignedIn.get())
        {
                GoogleAuth.signOut();
        }
         else 
        {
                GoogleAuth.grantOfflineAccess({
                         "prompt" : "consent",
                        'scope': SCOPE
                }).then(function(resp) {
                        offlineCode = resp.code;
                });
        }
}

</script>



Second, background process was getting Alice's refresh token by below code.

$scopes = PROFILE_API_SCOPE.' '.EMAIL_API_SCOPE.' '.SITEVERIFICATION_API_SCOPE.' '.CONTENT_API_SCOPE.' '.ADWORDS_API_SCOPE;

$oauth2 = new OAuth2([
        'authorizationUri' => "https://accounts.google.com/o/oauth2/v2/auth",
        'redirectUri' => 'postmessage',
        'tokenCredentialUri' => CredentialsLoader::TOKEN_CREDENTIAL_URI,
        'clientId' => "11111111111-aaaaaaaaaaaaaaaaa.apps.googleusercontent.com",
        'clientSecret' => "bbbbbbbbbbbbbbbb",
        'scope' => $scopes
]);

$oauth2->setCode(/* Alice's offline code */);
$authToken = $oauth2->fetchAuthToken();


Third, if successded getting Alice's refresh token then background process was trying create account of Google Ads by below code.

$oAuth2Credential = (new OAuth2TokenBuilder())->withClientId("11111111111-aaaaaaaaaaaaaaaaa.apps.googleusercontent.com")->withClientSecret("bbbbbbbbbbbbbbbb")->withRefreshToken(/* Alice's refresh toekn */)->build();
$session = (new AdWordsSessionBuilder())->withDeveloperToken("cccccccccccccc_ddddd")->withOAuth2Credential($oAuth2Credential)->withClientCustomerId("111-222-3333")->build();

$adWordsServices = new AdWordsServices();

$managedCustomerService = $adWordsServices->get($session, ManagedCustomerService::class );

$customer = new ManagedCustomer();
$customer->setName('Account #' . uniqid());
$customer->setCurrencyCode('KRW');
$customer->setDateTimeZone('Asia/Seoul');

$operations = [];
$operation = new ManagedCustomerOperation();
$operation->setOperator(Operator::ADD);
$operation->setOperand($customer);

$operations[] = $operation;
$customer = $managedCustomerService->mutate($operations)->getValue()[0];
return $customer->getCustomerId();


However, I've got error.

Error message is "AuthorizationError.USER_PERMISSION_DENIED".


This approach is to wrong??


3. Idea 2

In obviously, I trying to using by refresh token of Service then upon process is success.

So, I thought, this process is can creating account not using Alice's refresh token, just using refresh token of Service.

If creating account is success then able to getting customer ID of creation account.

And then Service is insert Database to that customer ID and Alice's unique information (E.g. Alice's ID of Service or email address or cellphone number or etc.,).

And the after, if Alice will be trying registration to Ad service then background process is registration to Ad service by account of Service.

Maybe that is correct.


I have a question about this idea.

Service don't need Alice's refresh token according to this idea.

Why Alice is oAuth login to Google???




best regards.

googleadsapi...@google.com

unread,
Mar 27, 2019, 1:04:40 PM3/27/19
to taes...@gmail.com, AdWords API and Google Ads API Forum
Hello Myung,

I see that you are trying to create an account and facing USER_PERMISSION_DENIED. Usually you face USER_PERMISSION_DENIED error when your OAuth credentials are for a user who does not have access to the client customer ID specified or any of its manager accounts. Does Alice's email address have access to the client customer Id mentioned in the API call? You could share the Alice's email address and the Client Customer Id passing in the request to investigate further. You could use reply privately to the author option while sharing the information requested.

Regards,
Sai Teja, Google Ads API Team


=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Also find us on our blog and discussion group:
    http://googleadsdeveloper.blogspot.com/search/label/adwords_api
    https://developers.google.com/adwords/api/community/
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~

Myung Ju Park

unread,
Mar 27, 2019, 9:37:19 PM3/27/19
to AdWords API and Google Ads API Forum
Hello, Sai Teja.
Thanks for your reply.

I already mentioned, Alice is not have grant to access of client customer ID Service.
Because Alice is just customer and own client customer ID is have not yet.
I want to making service like to below flow.

oAuth login (Alice)
-> create account in Google Ads by Alice's account. (automation) 
-> invite Alice's created Google Ads account to this Service
-> create Google merchant center Account by Alice's account. (automation, if approved to inviting from this Service) 
-> link to between Alice's Google Ads account and merchant center account.
-> Alice is able to Google Ads creating, modifying, stopping and all of them about Google Ads in this Service.

Do you have an idea??

Best regards.

2019년 3월 28일 목요일 오전 2시 4분 40초 UTC+9, googleadsapi-forumadvisor 님의 말:

googleadsapi...@google.com

unread,
Mar 28, 2019, 1:43:47 PM3/28/19
to AdWords API and Google Ads API Forum
Hello Myung,

You are trying to create a new account with the Alice's credentials(assuming Alice is a brand new user does not have any Google Ads account), which is causing the USER_PERMISSION_DENIED error. Via API you cannot create client accounts directly, you will be be able to create client accounts via manager account only. You have to use credentials of the user having access to the manager account and the client customer id of the manager account in your ManagedCustomerService API call. While creating the managed account using ManagedCustomerService.Mutate operation you could use inviteeEmail and inviteeRole parameters to invite Alice to the newly created managed client account. Also, in order to user inviteeEmail in your API call you account should be whitelisted. You can contact your account manager at google to raise a request for whitelisting.

By following the steps described above, Alice should be able to create a new account under a manager account having access to create and modify Ads in the newly created account. That should answer questions 1,2 and 5. 

Regarding questions 3, creating merchant center to the Google Ads account cannot be performed via AdWords API. If you want to know the feasibility of performing these steps via Merchant center API, you could post the question on their forum from here

Regarding question 4, you need to send an invitation from the Merchant Center UI to the Google Ads account then you can use AdWords API to accept the invitation. You could refer this guide for more information.


Regards,
Sai Teja, Google Ads API Team


=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Also find us on our blog and discussion group:
    http://googleadsdeveloper.blogspot.com/search/label/adwords_api
    https://developers.google.com/adwords/api/community/
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~

Was your question answered? Please rate your experience with us by taking a short survey.
If not -- reply to this email and tell us what else we can do to help.

Take Survey

Myung Ju Park

unread,
Mar 28, 2019, 7:52:09 PM3/28/19
to AdWords API and Google Ads API Forum
Hello Sai Teja.

Thanks for your help.
Your advise is very helpful to me.
I'll try to that.

Best regards.


2019년 3월 29일 금요일 오전 2시 43분 47초 UTC+9, googleadsapi-forumadvisor 님의 말:
Reply all
Reply to author
Forward
0 new messages