Domain Wide-delegation Issue: Unauthorized Client
4,451 views
Skip to first unread message
Anthony Gomez Taboada
Feb 28, 2022, 2:41:14 PM2/28/22
to Google Ads API and AdWords API Forum
Hi,
I'm using the Google Ads API via Python Client Library. And I have followed the instructions to create a service account and perform domain-wide delegation in order to access the service.
But when I try to call the Google Ads API, I get the following error:
```
File "/app/src/main/security/credentials.py", line 52, in __get_account_client googleads_client = GoogleAdsClient.load_from_dict(account_credentials)
...
File
"/usr/local/lib/python3.9/site-packages/google/oauth2/_client.py",
line 60, in _handle_error_response raise exceptions.RefreshError(error_details,
response_data) google.auth.exceptions.RefreshError: ('unauthorized_client:
Client is unauthorized to retrieve access tokens using this method, or client
not authorized for any of the scopes requested.', {'error':
'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve
access tokens using this method, or client not authorized for any of the scopes
requested.'})
```
We have checked the Client ID used in the Admin site, to activate Google Ads API in GCP and the credentials in my Python project to authenticate, but still have this error.
Probably I've missed a step somewhere.
Hope you can help me.
Thanks in advance,
Anthony
Google Ads API Forum Advisor
Mar 1, 2022, 1:21:08 PM3/1/22
to ago...@inside.com.pe, adwor...@googlegroups.com
Hi Anthony,
Thanks for reaching out. Provided that you followed the instructions from this page, can you please privately send us the complete request and response logs so that we can investigate the issue?
Thanks,
Matt
Google Ads API Team
ref:_00D1U1174p._5004Q2Xk3z4:ref
Thanks for reaching out. Provided that you followed the instructions from this page, can you please privately send us the complete request and response logs so that we can investigate the issue?
Thanks,
Matt
Google Ads API Team
|
||||||
ref:_00D1U1174p._5004Q2Xk3z4:ref
Anthony Gomez Taboada
Mar 3, 2022, 9:32:46 AM3/3/22
to Google Ads API and AdWords API Forum
Hi,
- Anthony
just send you privately the required logs.
- Anthony
Google Ads API Forum Advisor
Mar 4, 2022, 5:28:05 AM3/4/22
to ago...@inside.com.pe, adwor...@googlegroups.com
Hi Anthony,
We recieved your private message, and I already requested you further details to investigate. Please send those details privately to us on the that thread.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2Xk3z4:ref
Anthony Gomez Taboada
Mar 4, 2022, 9:02:56 AM3/4/22
to Google Ads API and AdWords API Forum
Hi,
Sorry for the misunderstanding, exactly what details I am missing in my previous private message and could you please be more specific about how to to get them?
Thanks in advance,
Anthony
Google Ads API Forum Advisor
Mar 7, 2022, 2:00:00 AM3/7/22
to ago...@inside.com.pe, adwor...@googlegroups.com
Hi Anthony,
Thank you for the reply. I am also a member of the Google Ads API team and let me provide support to your concern.
Upon checking the error message, I can see that the authentication flow that the API is validating is still OAuth2 desktop app or web app flow even though you are implementing a service account. With this, you may try following this guide as it discusses the steps on how to implement the service account for Python client library.
However, we strongly recommend using OAuth2 desktop app or web app flow instead of service accounts (for example, impersonation). OAuth2 desktop app and web app flows do require an initial user interaction for granting access to the account, but are much simpler to set up. For the OAuth2 desktop app flow, you can persist a refresh token (which never expires) to obtain a new access token whenever necessary. When using one of our client libraries, you can authorize your app by filling out a configuration file.
However, if you still prefer a service account and the issue persists after trying the provided suggestion, then please provide the complete request and response logs with request ID and request header generated on your end. You can check the provided links to have a clearer view on the information that I am asking. This information can be extracted when logging of the API transaction is enabled. If not enabled, then you can follow one of the guides below for the specific client library that you are us:
Java - https://developers.google.com/google-ads/api/docs/client-libs/java/logging
.Net - https://developers.google.com/google-ads/api/docs/client-libs/dotnet/logging
PHP - https://developers.google.com/google-ads/api/docs/client-libs/php/logging
Python - https://developers.google.com/google-ads/api/docs/client-libs/python/logging
Ruby - https://developers.google.com/google-ads/api/docs/client-libs/ruby/logging
Perl - https://developers.google.com/google-ads/api/docs/client-libs/perl/logging
Please provide it in the private email thread.
Regards,
ref:_00D1U1174p._5004Q2Xk3z4:ref
Thank you for the reply. I am also a member of the Google Ads API team and let me provide support to your concern.
Upon checking the error message, I can see that the authentication flow that the API is validating is still OAuth2 desktop app or web app flow even though you are implementing a service account. With this, you may try following this guide as it discusses the steps on how to implement the service account for Python client library.
However, we strongly recommend using OAuth2 desktop app or web app flow instead of service accounts (for example, impersonation). OAuth2 desktop app and web app flows do require an initial user interaction for granting access to the account, but are much simpler to set up. For the OAuth2 desktop app flow, you can persist a refresh token (which never expires) to obtain a new access token whenever necessary. When using one of our client libraries, you can authorize your app by filling out a configuration file.
However, if you still prefer a service account and the issue persists after trying the provided suggestion, then please provide the complete request and response logs with request ID and request header generated on your end. You can check the provided links to have a clearer view on the information that I am asking. This information can be extracted when logging of the API transaction is enabled. If not enabled, then you can follow one of the guides below for the specific client library that you are us:
Java - https://developers.google.com/google-ads/api/docs/client-libs/java/logging
.Net - https://developers.google.com/google-ads/api/docs/client-libs/dotnet/logging
PHP - https://developers.google.com/google-ads/api/docs/client-libs/php/logging
Python - https://developers.google.com/google-ads/api/docs/client-libs/python/logging
Ruby - https://developers.google.com/google-ads/api/docs/client-libs/ruby/logging
Perl - https://developers.google.com/google-ads/api/docs/client-libs/perl/logging
Please provide it in the private email thread.
Regards,
|
||||||
ref:_00D1U1174p._5004Q2Xk3z4:ref
Anthony Gomez Taboada
Mar 8, 2022, 11:54:59 AM3/8/22
to Google Ads API and AdWords API Forum
Hi,
I implemented the required logs in my application. However, the error raises when I try to generate the GoogleAdsClient and therefore no request is send and no logs are generated.
Here is the structure of the dict (JSON) I send to the "load_from_dict" function to generate the client
{
"developer_token": "<DEVELOPER_TOKEN>",
"use_proto_plus": "True",
"login_customer_id": "<LOGIN_CUSTOMER_ID>",
"json_key_file_path":"service_account_json_key.json",
"impersonated_email":"<IMPERSONATED_EMAIL>"
}
According to the documentation here (https://developers.google.com/google-ads/api/docs/client-libs/python/oauth-service), I don't use credentials like "client_id", "client_secret" or "refresh_token" to trigger the other flows.
I sent you privately the structure with the real values and the code I use to generate the client.
Hope you can help me to find if there is a field I'm missing or adding unintentionally in order to not trigger the Service Account Flow
Anthony
I implemented the required logs in my application. However, the error raises when I try to generate the GoogleAdsClient and therefore no request is send and no logs are generated.
Here is the structure of the dict (JSON) I send to the "load_from_dict" function to generate the client
{
"developer_token": "<DEVELOPER_TOKEN>",
"use_proto_plus": "True",
"login_customer_id": "<LOGIN_CUSTOMER_ID>",
"json_key_file_path":"service_account_json_key.json",
"impersonated_email":"<IMPERSONATED_EMAIL>"
}
According to the documentation here (https://developers.google.com/google-ads/api/docs/client-libs/python/oauth-service), I don't use credentials like "client_id", "client_secret" or "refresh_token" to trigger the other flows.
I sent you privately the structure with the real values and the code I use to generate the client.
Hope you can help me to find if there is a field I'm missing or adding unintentionally in order to not trigger the Service Account Flow
Anthony
Reply all
Reply to author
Forward
0 new messages