Can we create Refreshtoken per account or per client id and client secret?

[hari krishna]

Hi , 

Can you Please let us know whether  we can create Refreshtoken per customerid (clientCustomerId=000-000-0000) or per client id (000000000000-XXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com)and client secret?

If we are able to create Refreshtoken per clientCustomerId, Then can we use same refresh token for other clientCustomerId with the same client id and client secret. 

api.adwords.clientId=000000000000-XXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com

api.adwords.clientSecret=xxxxxxxxxxxxxxxxxxxxxxxxxxx

api.adwords.clientCustomerId=000-000-0000

Problem is we have got separate refreshtoken for each clientCustomerId from a adwords account manager who manages our adwords accounts.  

But I am using java client library where i used to setup only one Refreshtoken as below in ads.properties. I am confused now on how to use different refreshtokens given by our adwords account manager for different  clientCustomerIds.

api.adwords.refreshToken=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I used to create refresh token as given in documentation when i am developing java code. https://github.com/googleads/googleads-java-lib/wiki/API-access-using-own-credentials-(installed-application-flow)#step-2---setting-up-the-client-library

Thanks!

Hari. 

[Peter Oliquino]

Hi Hari,

Refresh tokens and the rest of the credentials should be created using an email address that has access to a specific client account. For simplicity, if you wish to be able to use only a single set of OAuth2 credentials, I would recommend that you identify an email address which has access to your Root MCC account and while logged in to the said email address, you may then generate the OAuth2 credentials (refreshToken, clientId and clientSecret).

This will allow you to automatically have access to all other sub accounts under the said MCC. I hope this has been helpful and feel free to write back for any follow ups.

Thanks and regards,

Peter

AdWords API Team

[hari krishna]

Thanks Peter for quick replay,

Below are sequence of event happened in between me and campaign manager of our adwords accounts. 

1) We tested few google adwords APIs using our test account with the credentials  we created our self and all are working fine. 

2) Then  we requested campaign manager of adwords accounts (third party vendor) to provide client id , client secret, developer token and refresh token (token for one of our customerclientID)to connect to production accounts which they are maintaining on behalf of us. 

3) I used above details and try to get access token  to use for other api operations.

4) Next day they came back(third party vendor) and told that we locked their all accounts. 

I just used below code to test the credentials which they provided. I just want to know is it possible to lock all accounts if I test like above.If possible what is the exact reason behind it so that we will not do that next time.  

If my code is not causing this then is there any chance that you can tell what could be the reason or other possible reasons to lock all their adwords accounts which they are maintaining. 

@Override

public AdWordsSession generateAdwordsSession(final Properties prop) {

String dpTokenUrl = (String) prop.getProperty(DP_TOKEN_URL);

Credential oAuth2Credential = new GoogleCredential();

try {

oAuth2Credential = new OfflineCredentials.Builder().forApi(Api.ADWORDS).withTokenUrlServer(dpTokenUrl).fromFile().build()

.generateCredential();

return new AdWordsSession.Builder().fromFile().withOAuth2Credential(oAuth2Credential).build();

} catch ( ValidationException | ConfigurationLoadException e) {

LOGGER.error("Error in getting AdwordsSession with given credentials", e);

return null;

} catch (Exception e) {

LOGGER.error("Exception in getting AdwordsSession with given credentials", e);

return null;

}

}

Thanks!

Hari. 

Thanks!

Hari.

[Peter Oliquino]

Hi Hari,

Regarding the usage of test and production accounts, I'm afraid that it is not possible to link both the test accounts and production accounts as they belong in completely different environments and hierarchies. Also, as mentioned in my previous reply, if you wish to manage all accounts under a certain MCC, you may generate OAuth2 credentials using an email address which has administrative access on the said MCC account.

As for locking accounts, it all depends on the OAuth2 credentials that you use. The said credentials allows users/developers to manage the information of your accounts and users that do not use the correct credentials are not permitted or will be unable to modify the information within the said account. As for locking the account itself, I'm afraid that it currently isn't possible via the AdWords API. As long as the user/developer is using the correct credentials, they may be able to apply changes. Let me know if this helps and feel free to correct me if my understanding is incorrect.

[hari krishna]

Thanks Peter, 

Seems I could not give correct information to you. 

we are not mixing production and test accounts. 

We used different credentials for our test account for testing our code. After we are sure that our code is working fine then we planned to move our code to production and  we requested our campaign manager(Third party vendor who manages our campaigns ) to provide all production credentials like clientsecret, clientid,developer token and refresh token so that we can automate campaign management through our developed code/apis for our production accounts not test accounts. 

I just want to make sure that our approach is correct and it should not lock their MCC accounts/Expire refreshtokens/clientids ets.. So that we can go back to them and tell that is not our fault. If there is any fault in our side then we will correct so that it will not repeat again. 

If there is any on call support then i am very happy and I can call and explain in more details, Please let me know if is there anything like this. 

Thanks!

Hari. 

[Peter Oliquino]

Hi Hari,

My apologies if my understanding was incorrect. Regarding your third step "I used above details and try to get access token  to use for other api operations.", could you confirm if you generated new OAuth2 credentials for the said account? If yes, did you also inform the client that you generated new ones and gave them the newly created credentials?

Moving forward and to better identify the issue you are encountering, could you provide the generated SOAP request and response generated when the client informed you that they are no longer able to access their accounts? You may reply to me privately via the Reply privately to author option.