Acquiring rights to add user account to my managed accounts.

[Aidis Stukas]

I am new to oauth and google ads API. I am trying to figure this out for a couple of days now. Please put me on a right way.

I have a manager account.

I would like users to be able to ask to be managed by my account.

I tried using gapi.js to generate
 access_token and id_token.

```

gapi.signin2.render("my-signin2", {

scope: "https://www.googleapis.com/auth/adwords",

```
What can I do with them?

I am using https://github.com/googleads/google-ads-python library

Just to be clear I would like to provide example:

1. user at mail.com who manages google ads account 777-777-77777 goes into sampleapp.com
   
2. user is asked to grant access to adwords scope
3. user accepts
4. access_token is generated( is this the correct way) and sent to the backend
5. ...what happens here?
   
6. ...manager account 888-888-88888 is granted rights to add 777-777 account to managed accounts
   
7. manager account initiates linking (https://developers.google.com/google-ads/api/docs/account-management/linking-manager-accounts)
8. client account accepts linking (https://developers.google.com/google-ads/api/docs/account-management/linking-manager-accounts)

It looks like step 8 requires initiating client with configuration only for that particular user? Or is there a way doing that without acquiring clients client_id, client_secret, refresh_token and so on?

[Google Ads API Forum Advisor Prod]

Hi Aidis,

Thank you for reaching out. Once you have credentials generated for the user, they can be filled in as explained here to make calls for that user using the client library. So at first, you should use your credentials to send the link request then you can use the user's credentials to accept the request. In order to make calls for a user, you need all of their credentials if you are using the installed app flow. Depending on how your application is structured, you might want to look into using a service account flow which will allow you to impersonate users in your domain.

Regards,
Mitchell
Google Ads API Team

ref:_00D1U1174p._5004Q22YCDM:ref

[Aidis Stukas]

Hi Mitchell,

Thanks for confirming that its a two step process: I have to use my credentials to send link request and user credentials have to be used to accept the request.

Thanks for the links, I have visited them previously, but one part is still not clear to me.

As for user, I was only able to get access_token and id_token. Are these sufficient?

From the flow that you mentioned it sounds like that I should have users developer_token, client_id and client_secret. Just to clarify, its a user account that I do not control. I think that the user should not be sending these to me.

Some brainstorming thoughts:

• I stumbled upon some mentions settings Bearer Authentication header to access token value. Maybe this is something what I should look at. (There is no mention of it in google-ads-python library)
• Maybe I should to steps before linking account? For example, I should be able to somehow list customer id that can be managed by the user @ mail.com who authorized me to manage his Ads accounts.

Thanks again and

let me know if I can provide any info to make this easier.

[Aidis Stukas]

One more detail i found at https://developers.google.com/identity/protocols/oauth2/web-server

> After obtaining an access token, your application can use that token to authorize API requests on behalf of a given user account or service account.

Is that true for Google Ads Api too?

[Aidis Stukas]

I tried this sample

GET /v4/customers/CUSTOMER_ID HTTP/1.1
Host: googleads.googleapis.com
Authorization: Bearer ACCESS_TOKEN     <-- Here I use access token generated by gapi.js library sign in.
developer-token: DEVELOPER_TOKEN  

It seems to be working fine. Is this the right way?

I wonder how to do that in google.ads.googleads python library?

[Google Ads API Forum Advisor Prod]

Hi Aidis,

I'm glad you got it to work. That does look like the correct way to do it. In terms of using the Python client library, you can obtain the access token by following the instructions here. Then, make sure you save the user's access and refresh tokens as explained and follow the instructions here to make the API call.

You can follow the instructions here to make sure you have set the project up correctly. The only credentials you need from the user are their client customer ID and access token/refresh token.

[Aidis Stukas]

Hi Mitchell,

The solution I was looking for was this:

from google.ads.google_ads.client import GoogleAdsClient

from google.oauth2.credentials import Credentials

DEVELOPER_TOKEN = 'foobar'

access_token = 'foobar'

credentials = Credentials(access_token)

client = GoogleAdsClient(credentials, DEVELOPER_TOKEN)

I think I don't need refresh token as authorization is required only to link the accounts.

After adding users accounts to managed account I think I will not need their tokens to make changes.

Thanks!