How To Automate Refresh Tokens using REST API
4,185 views
Skip to first unread message
Mike M
Jul 26, 2022, 5:29:11 PM7/26/22
to Google Ads API and AdWords API Forum
I've been using 2 API calls to batch upload google offline click conversions. One generates the Access Token. The other is the API call to upload the offline click conversions.
All was well for a few weeks until suddenly we started getting invalid_grant messages when trying to generate the Access Token. No clue why -- and we received no email or anything from Google on this. It just stopped working and the invalid_grant error was cryptic and the online help didn't explain much.
I resolved this issue by following this video to generate a new Refresh Token in the Google oAuth Playground:
So, my question for the Google Adwords API team is -- can we automate this somehow? I can trap the invalid_grant JSON response and then would like to do some series of REST API calls to generate a new Refresh Token.
Mike M
Jul 26, 2022, 5:42:18 PM7/26/22
to Google Ads API and AdWords API Forum
On the tail end of this request, to fully automate this Refresh Token renewal, do you think that I may need to generate a Service Account instead of doing it the Web Application oAuth Client technique?
We have purchased a separate domain and put it into Google WorkSpace for where we manage our Google Ads API credentials, but the domain where we may the API call is separate from this domain. So, I don't know if that will work. Honestly, I don't know why the Refresh Token suddenly stopped working using the Desktop oAuth Client ID (which I have since switched to the Web Application oAuth Client ID).
Mike M
Jul 26, 2022, 6:16:09 PM7/26/22
to Google Ads API and AdWords API Forum
I also tried to research why my Refresh Token expired. I mean, the whole point of a Refresh Token is so that you generate Access Tokens and they are the ones to expire, not your Refresh Token. I looked at the bullet items from this page from Google's docs and none of those bullet items applied to us:
Google Ads API Forum Advisor
Jul 27, 2022, 3:02:11 AM7/27/22
to volo...@gmail.com, adwor...@googlegroups.com
Hi Mike,
Thanks for reaching out to the Google Ads API team. I hope you are doing well today.
Please see my response to your question below.
1.) can we automate this somehow? I can trap the invalid_grant JSON response and then would like to do some series of REST API calls to generate a new Refresh Token.
- The refresh token generated in the Google Oauth Playground lasts only for 1 hour then it expires. Also, since you mentioned that you’re getting error with access tokens and refresh tokens after few API calls, you may refer to this document to read more information about refresh token expiration. Also, if you set the publishing status to "Testing" so the refresh token expires every 7 days and receives an “invalid_grant” error. That being said, please go to the Google API Console and navigate to the OAuth consent screen and then change the publishing status to “In production” to avoid the refresh token expiring in 7 days. You may regenerate refresh tokens by referring to this guide for the steps on how you can regenerate credentials and refresh tokens.
2.) On the tail end of this request, to fully automate this Refresh Token renewal, do you think that I may need to generate a Service Account instead of doing it the Web Application oAuth Client technique?
- For this question, we strongly recommend using OAuth2 desktop app or web app flow instead of service accounts unless you need a domain-specific feature (for example, impersonation). OAuth2 desktop app and web app flows do require an initial user interaction for granting access to the account, but are much simpler to set up.
- For the OAuth2 desktop app flow, you can persist a refresh token (which never expires) to obtain a new access token whenever necessary. When using one of our client libraries, you can authorize your app by filling out a configuration file.
Let us know if you have further questions.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2d1nfG:ref
Mike M
Jul 27, 2022, 3:20:02 AM7/27/22
to Google Ads API and AdWords API Forum
You had stated: "The refresh token generated in the Google Oauth Playground lasts only for 1 hour then it expires." This appears incorrect. We generated one with our Client ID and Client Secret and it has lasted for several hours now.
We also read your doc...
...about Refresh Token Expiration and none of those bullet items applied to our situation. It just expired on its own suddenly for no reason, no email to us, no alert in Google Adwords management dashboard.
We also looked at the oAuth Consent Screen. We see nothing about "publishing status". Screenshot: https://www.screencast.com/t/6YNeTt1U . Also, when we click Edit App, we also don't see anything about a publishing status either.
Google Ads API Forum Advisor
Jul 27, 2022, 8:16:15 AM7/27/22
to volo...@gmail.com, adwor...@googlegroups.com
Hi Mike,
Thank you for the reply. I work with Darwin and allow me to assist you here.
With regard to your concern regarding the "publishing status", you will need to completely verify your app by following this guide in order for you to change the "publishing status".
For the expiration of your refresh token this indeed because your "publishing status" is currently in progress so you will need to follow the provided document above to help you address this matter.
Best regards,
ref:_00D1U1174p._5004Q2d1nfG:ref
Thank you for the reply. I work with Darwin and allow me to assist you here.
With regard to your concern regarding the "publishing status", you will need to completely verify your app by following this guide in order for you to change the "publishing status".
For the expiration of your refresh token this indeed because your "publishing status" is currently in progress so you will need to follow the provided document above to help you address this matter.
Best regards,
|
||||||
ref:_00D1U1174p._5004Q2d1nfG:ref
Mike M
Jul 27, 2022, 12:57:17 PM7/27/22
to Google Ads API and AdWords API Forum
Jinky, you may want to update the online docs to indicate a few things. First, I don't see Publishing Status anywhere -- not on editing the oAuth Client (Web Application), or on the oAuth Consent Screen (view mode or when I click Edit). Second, on the page that the docs have about Refresh Token expirations, it needs to indicate that if one has not verified their oAuth Client, then the Refresh Token will expire after a few months and you'll get the invalid_grant error, because I believe what this Google Groups thread is indicating.
I'm also wondering why go through the Verified step? I mean, with all due respect to Google, what am I verifying? We're setting up a Refresh Token for not users, but a piece of code on a cron job that will upload offline Adwords click conversions to Google. I mean, this isn't like me building some kind of link between Google Docs spreadsheets or something that might need a user oAuth. This is an automated cron job.
Google Ads API Forum Advisor
Jul 27, 2022, 4:00:21 PM7/27/22
to volo...@gmail.com, adwor...@googlegroups.com
Hi Mike,
I work with Jinky. This support channel can only point you to documentation on GCP's website and attempt to assist you. With that being said, since only one user will use your GCP project you can publish it without going through verification, and my team researched this. Moreover, the screenshot you gave us shows an app marked Internal, so it appears that you don't have to go through verification and here ius the following from GCP support:
If you are willing to go through all the steps necessary to create a service account then you won't need a refresh token to impersonate users in your Workspace domain that are also ads users. This route isn't a recommended route because of difficulty of setup and security risks.
Unfortunately, a refresh token could expire for many reasons and we cannot cover all scenarios. Since refresh token expiration is a GCP issue I suggest you reach out to GCP support for further assistance in refresh token expiration issues.
Regards,
ref:_00D1U1174p._5004Q2d1nfG:ref
I work with Jinky. This support channel can only point you to documentation on GCP's website and attempt to assist you. With that being said, since only one user will use your GCP project you can publish it without going through verification, and my team researched this. Moreover, the screenshot you gave us shows an app marked Internal, so it appears that you don't have to go through verification and here ius the following from GCP support:
You do not need to submit your app for review if it's going to be used in any of the following scenarios:
- Personal Use: The app is not shared with anyone else or will be used by fewer than 100 users. Hence, you can continue using the app by bypassing the unverified app warning during sign-in.
- SMTP/IMAP/WP: The app is used to send emails through WordPress, or similar single account SMTP plug-ins.
- Internal Use: An app is internal when the people in your domains only use it internally. Learn more about public and internal applications. Learn how to mark your app as internal in the FAQ How can I mark my app as internal-only?
If you are willing to go through all the steps necessary to create a service account then you won't need a refresh token to impersonate users in your Workspace domain that are also ads users. This route isn't a recommended route because of difficulty of setup and security risks.
Unfortunately, a refresh token could expire for many reasons and we cannot cover all scenarios. Since refresh token expiration is a GCP issue I suggest you reach out to GCP support for further assistance in refresh token expiration issues.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2d1nfG:ref
Mike M
Jul 27, 2022, 4:05:22 PM7/27/22
to Google Ads API and AdWords API Forum
Thank you so much, guys, on the assistance here. This explains a lot. I'll work with the GCP Support process more out of curiosity than anything else. I mean, my code is now revised so that when I get an invalid_grant message in the JSON during the Access Token generation, I'll get an email alert and then know to go through the steps to create a new Refresh Token using the oAuth Playground, and I learned that this cannot be automated.
Google Ads API Forum Advisor
Jul 27, 2022, 10:42:47 PM7/27/22
to volo...@gmail.com, adwor...@googlegroups.com
Hi Mike,
I am happy to know that my colleagues have helped you with your concern. Feel free to reach out to our team again if you have further concerns and our team will be happy to provide further support.
Regards,
ref:_00D1U1174p._5004Q2d1nfG:ref
I am happy to know that my colleagues have helped you with your concern. Feel free to reach out to our team again if you have further concerns and our team will be happy to provide further support.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2d1nfG:ref
Reply all
Reply to author
Forward
0 new messages