AuthorizationError.USER_PERMISSION_DENIED

[Minas Gratas]

Hello,

I am working on a basic application which does reporting for our clients. It work for my MCC account but I want my clients to log in with their Adwords accounts and see their campaigns, ad groups and keywords.

Basically, I am having an issue on the first step of OAUTH here.

use Google\Auth\OAuth2;
require_once 'adwords/api/vendor/autoload.php';
use Google\AdsApi\AdWords\AdWordsServices;
use Google\AdsApi\AdWords\AdWordsSessionBuilder;
use Google\AdsApi\AdWords\v201609\cm\CampaignService;
use Google\AdsApi\AdWords\v201609\cm\OrderBy;
use Google\AdsApi\AdWords\v201609\cm\Paging;
use Google\AdsApi\AdWords\v201609\cm\Selector;
use Google\AdsApi\Common\OAuth2TokenBuilder;
session_start();
$oauth2 = new OAuth2([
    'authorizationUri' => 'https://accounts.google.com/o/oauth2/v2/auth',
    'tokenCredentialUri' => 'https://www.googleapis.com/oauth2/v4/token',
    'redirectUri' => 'http://localhost:32492/adoauth/',
    'clientId' => '****',
    'clientSecret' => '*****',
    'scope' => 'https://www.googleapis.com/auth/adwords'
]);
if (!isset($_GET['code'])) {
    // Create a 'state' token to prevent request forgery.
    // Store it in the session for later validation.
    $oauth2->setState(sha1(openssl_random_pseudo_bytes(1024)));
    $_SESSION['oauth2state'] = $oauth2->getState();

    // Redirect the user to the authorization URL.
    $config = [
        // Set to 'offline' if you require offline access.
        'access_type' => 'offline'
    ];
    header('Location: ' . $oauth2->buildFullAuthorizationUri($config));
    exit;
}
 elseif (empty($_GET['state'])
    || ($_GET['state'] !== $_SESSION['oauth2state'])) {
  unset($_SESSION['oauth2state']);
  exit('Invalid state.');
} else {
    $oauth2->setCode($_GET['code']);
    $authToken = $oauth2->fetchAuthToken();
$session = (new AdWordsSessionBuilder())
    ->fromFile()
    ->withOAuth2Credential($oauth2)
    ->build();
$adWordsServices = new AdWordsServices();

$campaignService = $adWordsServices->get($session, CampaignService::class);
$selector = new Selector();
$selector->setFields(array('Id', 'Name'));
$selector->setOrdering(array(new OrderBy('Name', 'ASCENDING')));
$page = $campaignService->get($selector);
if (isset($page->entries)) {

    foreach ($page->entries as $campaign) {
        $campaigns[] = ['id'=>$campaign->id, 'name'=>$campaign->name, 'status'=>$campaign->status];
    }
    return $campaigns;
} else {
    print "No campaigns were found.\n";
}
}

So I am giving permissions on consent screen, thenI should get the authenticated users data such as campaigns, ad groups. However I am having this error;

Fatal error: Uncaught exception 'Google\AdsApi\AdWords\v201609\cm\ApiException' with message '[AuthorizationError.USER_PERMISSION_DENIED @ ; trigger:'<null>']

Can someone please help me what I am missing?

Also I am using two different libraries here, one for oAuth and one for Adwords API.

Thank you

[Sreelakshmi Sasidharan (AdWords API Team)]

Hi, 

The USER_PERMISSION_DENIED error occurs if the client account is not linked to the manager account or, in a different scenario where the OAuth credentials do not match the client customer ID that was specified in the request. I would suggest to check if the accounts are properly linked and also ensure that you are logged into the right account while you accept the action on the consent screen.

Thanks,

Sreelakshmi, AdWords API Team

[Minas Gratas]

Hi Sreelakshmi,

Thank you for your reply. I will check it but is it possible to use my own credentials but let users to login with their information?

[Sreelakshmi Sasidharan (AdWords API Team)]

Hi Minas, 

To make successful API calls, the login used to create the client credentials must match the login with which you generate the OAuth tokens. 

If your question is about how multiple users can access your Adwords accocunt, please check this document which talks about that in detail. Please note that each of these new users will have to go thorough the OAuth set up for them to make the API calls. 

Thanks,

Sreelakshmi, AdWords API Team

[Minas Gratas]

To make successful API calls, the login used to create the client credentials must match the login with which you generate the OAuth tokens.

Actually, I want anyone with their credentials to be able to login to the application. I can access with my own credentials however this application is intended to generate a dashboard for a user who logs in. These users are not necessarily MCC users. Is this doable at all?

https://github.com/googleads/googleads-php-lib/wiki/API-access-on-behalf-of-your-clients-(web-flow) here it says on behalf on your clients. 

Some apps asks your permissions to manage your  Adwords account and if I login with a normal (non-MCC) account it reaches my campaigns and ad groups etc. I am having an issue on authentication and authorisation step.

[Josh Averbeck]

Hi Minas, 

Did you ever find a solution to this? I'm having the same issue.

[Sreelakshmi Sasidharan (AdWords API Team)]

Hi Josh, 

Are you getting USER_PERMISSION_DENIED error? Could you Reply privately to author and share sample SOAP logs (request/response) with me? 

Thanks,
Sreelakshmi, AdWords API Team.

[Ali Texa]

Hi, Sreelakshmi.

I have same errors.

How can I fix it?

[Sreelakshmi Sasidharan (AdWords API Team)]

Hi Ali, 

Could you please Reply privately to the author and share your SOAP logs (request/response) and the email Id of the user who is authenticating the API call? 

[adw...@avanser.com.au]

Hi,

We are having an issue using our Developer Token to access a production AdWords account for uploading offline conversions. When we test our script using an Authorisation Code that was generated using our AdWords Test Account, the authorisation is successful and the upload only fails at a later step as offline conversions can't be uploaded to test accounts.

However, when we try to test against our production account, we get the following error:

Client error: `POST https://www.googleapis.com/oauth2/v4/token` resulted in a `400 Bad Request` response:
{
    "error": "invalid_grant",
    "error_description": "Invalid code."
}

The error type returned by the API is AuthorizationError.USER_PERMISSION_DENIED

We have checked, and our Developer Token definitely has the "Basic access" access level, meaning we should be able to access productions accounts. We have tried generating the authorisation token from both our manager account, and directly from the AdWords account that we are trying to upload to. 

Could you please advise on what could be causing this issue? Any help would be greatly appreciated.

Thanks.

[Shwetha Vastrad (AdWords API Team)]

Hi, 

Could you confirm that you generated the refresh token by logging in to your production manager account when you switched from test to production environment? Please provide a sample request and response log along with the email address used to generate the refresh token so I can take a look. Please use Reply privately to author when responding. 

Regards,

Shwetha, AdWords API Team.

[Amrender kumar]

Hi Shwetha,

I am facing somewhat similar problem when I am trying to set a link between client user and a manager account. Here is the error briefly:

Fatal error:  Uncaught exception 'Google\AdsApi\AdWords\v201705\cm\ApiException' with message '[ManagedCustomerServiceError.NOT_AUTHORIZED @ operations[0]]' in .COMPLETE_PATH/clickenforcer/web/adwords/vendor/googleads/googleads-php-lib/src/Google/AdsApi/Common/Util/Reflection.php:39
Stack trace:

Can you please guide me how can I fix it. I am using mutateLink function to make the link between the user and a manager user.

Thanks,

Amrender