How to trouble shoot for the error "AuthorizationError.USER_PERMISSION_DENIED".

49 views

Skip to first unread message

Bikram Bhuyan

unread,

Apr 21, 2015, 1:54:54 PM4/21/15

to adwor...@googlegroups.com, bikram...@etrigue.com

Hi AdWords Team,

We are a SAAS provider and we have implemented ad-words integration for some of our clients. The integration have been working perfectly fine for many of the clients, but for one client we are getting the error "AuthorizationError.USER_PERMISSION_DENIED". From this it looks like the client did not use the right process to do the OAuth process, but when talking to client, they say they have used the right account. But from the data we captured after the OAuth process, we can not tell which account is used to do the setup as we have only the refresh token for the client.

Could you please suggest what we can do to trouble shoot the problem? If you want the details for this transaction, please let me know.

We need some help from the AdWords support urgently.

Thanks,

Bikram.

Josh Radcliff (AdWords API Team)

unread,

Apr 22, 2015, 9:34:42 AM4/22/15

to adwor...@googlegroups.com, bikram...@etrigue.com

Hi Bikram,

One approach you could take would be to use the refresh token to generate an access token, and then use that access token in a CustomerService.get request without specifying the clientCustomerId SOAP header. This will result in one of two possible outcomes:

If the user associated with the token has an AdWords account, then you'll get back a Customer object for that account. You can get the account's customer ID from the Customer.customerId field and compare that to the clientCustomerId you are trying to access in your other API requests. If the two do not match, then that would explain the USER_PERMISSION_DENIED error.
If the user associated with the token does not have an AdWords account, then you'll probably get back an AuthorizationError with reason NO_ADWORDS_ACCOUNT_FOR_CUSTOMER. I haven't actually tried this myself, but that's what I suspect will happen.

Another tip: you can inspect the scope and expiry time of an access token by appending it to the end of the following URL:

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=

This will return output similar to the following sample for a valid AdWords access token:

{

"issued_to": "1....................apps.googleusercontent.com",

"audience": "1.....................apps.googleusercontent.com",

"scope": "https://www.googleapis.com/auth/adwords",

"expires_in": 3185,

"access_type": "offline"

}

Please give these options a try and let me know if you have additional questions.

Thanks,

Josh, AdWords API Team

Reply all

Reply to author

Forward

0 new messages