Resetting the developer token - would it preserve the OAuth grants?

[AdWordsApiUser]

Hello,

My boss wants me to reset the developer token every N days. Would the OAuth2 grants be lost once I do that? 

Thanks!

MG

[Josh Radcliff (AdWords API Team)]

Hi MG,

No, the OAuth2 grants will not be lost. The developer token is not linked to the OAuth2 credentials. However, if you take this approach you'll have to ensure that any code using the previous developer token picks up the new one. Per the AdWords API Center:

Please note that we advise against resetting your developer token, except in rare cases such as compromised or stolen token. When you reset it:
Any code using your previous developer token will not function.
This action is final and cannot be undone.

What is the motivation behind resetting the developer token on a monthly basis?

Cheers,

Josh, AdWords API Team

[AdWordsApiUser]

Thanks for your reply Josh!

We're putting in an internal security policy in place, and are deciding what all should be reset every month (think of it as enforcing a periodic password change policy). 

There is also the client secret that can be reset in Google API console. Should we reset that instead? Could you also confirm if resetting the client secret would have any impact on existing OAuth2 grants?

Out of curiosity, why does the API team recommends not resetting the developer token?

Cheers, and have a good week everyone!

MG

[Anash P. Oommen (AdWords API Team)]

Hi MG,

Resetting the developer token every month doesn't give you any extra benefit from a security standpoint. The only situation in which it makes sense to reset a developer token is when it gets shared with someone, and you don't want to make the person making API calls using that token. On the other hand, resetting a developer token means that you have to redeploy your application with the new developer token (since the old token no longer works), and it becomes difficult for us to troubleshoot an issue you may have, since the issue might have happened a couple of months back, and tracking by token becomes difficult since you'd have reset the developer token couple of times by then. Developer token doesn't influence account ACLs.

You can reset the clientSecret as part of the security policy. When doing an offline flow, ClientSecret is the secret passphrase that proves to the authentication server that the client app is authorized to make a request on behalf of the user. See some discussion here.

IMO the best way to enforce a password policy would be to require that your AdWords account's password is reset AND your refresh token is revoked at regular intervals. 

Cheers,

Anash P. Oommen,

AdWords API Advisor.