Skip to content

API access on behalf of your clients (web flow)

msaniscalchi edited this page Dec 9, 2022 · 10 revisions

API access on behalf of your clients (web flow)

This guide will walk you through how to setup OAuth2 for API access on behalf of your clients using web flow.

Step 1 - Creating OAuth2 credentials

Follow the steps for the product you're using to generate a client ID and secret, download the JSON client secrets file, and then come back to this page.

Step 2 - Setting up the client library

  1. Setup the OAuth 2.0 web flow.

    Using the client ID and secret you generated earlier, you can now initialize the Flow instance that you can use to step through the web flow. If you were setting this up for use with AdWords, it would look like the following:

    import google.oauth2.credentials
    import google_auth_oauthlib.flow
    
    
    # Initialize the flow using the client ID and secret downloaded earlier.
    # Note: You can use the GetAPIScope helper function to retrieve the
    # appropriate scope for AdWords or Ad Manager.
    flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
        'client_secret.json',
        scope=[oauth2.GetAPIScope('adwords')])
    # Indicate where the API server will redirect the user after the user completes
    # the authorization flow. The redirect URI is required.
    flow.redirect_uri = 'https://www.example.com/oauth2callback'
    
  2. Retrieve the url for Google's OAuth2 server and redirect the user there.

    You can retrieve the url with the following line of code:

    # Generate URL for request to Google's OAuth 2.0 server.
    # Use kwargs to set optional request parameters.
    authorization_url, state = flow.authorization_url(
    # Enable offline access so that you can refresh an access token without
    # re-prompting the user for permission. Recommended for web server apps.
    access_type='offline',
    # Enable incremental authorization. Recommended as a best practice.
    include_granted_scopes='true')
    

    On redirecting the client there, it will display a prompt requesting that they allow you to access their Google Ads or Ad Manager account on their behalf.

    Consent screen allow

    Either selection will redirect them back to the redirect_uri specified earlier.

  3. Handle the OAuth2 server response.

    If the client opted to allow you to access their account, you will receive an authorization code in the response as a query string. This can be used to retrieve an access and refresh token with the following lines of code:

    flow.fetch_token(code=auth_code)
    credentials = flow.credentials
    
  4. Store the user's credentials in your database so you can retrieve it the next time they login to your system.

  5. You can now initialize an AdManagerClient using the client's stored credentials. To do so, you should provide an initialized GoogleRefreshTokenClient to the Ad Manager client via the oauth2_client argument during initialization.

    For example, if you need to set up an AdWordsClient, it may look something like the following:

    from googleads import ad_manager
    from googleads import oauth2
    
    
    # Initialize the GoogleRefreshTokenClient using the credentials you received
    # in the earlier steps.
    oauth2_client = oauth2.GoogleRefreshTokenClient(
        client_id, client_secret, refresh_token)
    
    # Initialize the Ad Manager client.
    ad_manager_client = ad_manager.AdManagerClient(
        oauth2_client, application_name)