Single User Authentication Workflow

Similar to the service account workflow, the single user authentication flow makes use of the authorization and user management features offered by the Google Ads UI to grant the app access to all the necessary accounts. This authentication workflow has two steps:

  • You grant a single user access to all the Google Ads accounts that should be managed by the app.
  • The user authorizes your app to manage their Google Ads accounts on their behalf, thus granting the app access to all the Google Ads accounts.

Since there is only one user involved, you can rely on tools such as gcloud CLI or the GenerateUserCredential code example instead of building your own OAuth 2.0 user authentication flow.

A related use case for this workflow is when your accounts can be accessed through a handful of user logins (e.g. 3-4 users), so the development effort to build a full-blown OAuth user authentication workflow isn't justified when compared to the effort for obtaining authorization for 3-4 users using a command line tool such as gcloud CLI.

Drawbacks

There are a few disadvantages to this flow when compared to the service account workflow:

  1. User authentication workflow requires you to create an OAuth 2.0 client ID and secret in the Google Cloud Console, which requires more configuration steps than creating a service account and key.
  2. Your app may have to go through an additional Google Cloud App verification process.
  3. If the authorized user leaves the team or company, then your app may stop working if you remove the user from your accounts or disable the user account. Service accounts are not tied to individual users, so this risk is avoided.
  4. The user authorizing the Google Ads account should take extra precautions such as enabling 2 factor authentication to defend against their Google Account getting compromised due to getting compromised due to poor security, malware, or phishing. Service accounts are less vulnerable to this issue since some of these modes of attack don't directly apply to them.

Generate credentials

  1. Follow the instructions to configure an OAuth consent screen for your application and add https://www.googleapis.com/auth/adwords as an OAuth 2.0 scope.

  2. Create a client ID and client secret by following the instructions. Once you create the OAuth 2.0 client, download the client's JSON file by first clicking its Download OAuth client icon and then the DOWNLOAD JSON button on the following screen. Save the file as credentials.json.

  3. Identify a user account that has access to all the Google Ads accounts you want to manage using your app. If there are accounts with missing access, then follow the instructions to grant the necessary access.

  4. Download and install gcloud CLI. Once installed, verify that the tool works correctly by running the gcloud version command from a command line prompt. The output may look as follows.

    :~$ gcloud version
Google Cloud SDK 492.0.0
alpha 2024.09.06
beta 2024.09.06
bq 2.1.8
bundled-python3-unix 3.11.9
core 2024.09.06
enterprise-certificate-proxy 0.3.2
gcloud-crc32c 1.0.0
gsutil 5.30

  5. Generate an OAuth 2.0 refresh token by running the gcloud CLI tool: 

    gcloud auth application-default 
    
  login --scopes=https://www.googleapis.com/auth/adwords,https://www.googleapis.com/auth/cloud-platform 
    
  --client-id-file=<path_to_credentials.json>

    The credentials.json file is from the previous step.

  6. The gcloud command opens a Google Account login window in a new browser window and takes you through the OAuth 2.0 authentication steps. Make sure you sign in as the user you selected from the previous steps. If your app is unverified, you might see a warning screen. In such cases, it's safe to click the Show Advanced link and click the Go to PROJECT_NAME (unverified) option.

  7. After you verify the scopes, click the Continue button to grant the permission. The browser navigates to https://cloud.google.com/sdk/auth_success, indicating that the authentication was successful. The page displays the following message:

    Authorization code granted. Close this tab.

    The gcloud command prints the following message:

    Credentials saved to file: [/****/.config/gcloud/application_default_credentials.json]

    Now open the application_default_credentials.json file. Its contents should be similar to follows:

    {
"account": "",
"client_id": "******.apps.googleusercontent.com",
"client_secret": "******",
"refresh_token": "******",
"type": "authorized_user",
"universe_domain": "googleapis.com"
}

Client library configuration

Select the tab corresponding to your programming language for instructions on how to configure your client library.

Java

Configure the following keys in your ads.properties file.

api.googleads.clientId=INSERT_CLIENT_ID_HERE
api.googleads.clientSecret=INSERT_CLIENT_SECRET_HERE
api.googleads.refreshToken=INSERT_REFRESH_TOKEN_HERE
api.googleads.loginCustomerId=INSERT_LOGIN_CUSTOMER_ID_HERE

See the configuration guide for additional options.

.NET

You can initialize your GoogleAdsClient instance at runtime, using the credentials you have obtained from the user whose accounts you are making API calls to.

GoogleAdsConfig config = new GoogleAdsConfig()
{
    OAuth2Mode = OAuth2Flow.APPLICATION,
    OAuth2ClientId = "INSERT_OAUTH2_CLIENT_ID",
    OAuth2ClientSecret = "INSERT_OAUTH2_CLIENT_SECRET",
    OAuth2RefreshToken = "INSERT_OAUTH2_REFRESH_TOKEN",
    ...
};
GoogleAdsClient client = new GoogleAdsClient(config);

See the configuration guide for additional options.

Python

Configure the following keys in your google-ads.yaml file.

client_id: INSERT_OAUTH2_CLIENT_ID_HERE
client_secret: INSERT_OAUTH2_CLIENT_SECRET_HERE
refresh_token: INSERT_REFRESH_TOKEN_HERE
login_customer_id: INSERT_LOGIN_CUSTOMER_ID_HERE

See the configuration guide for additional options.

PHP

Configure the following keys in your google_ads_php.ini.

[GOOGLE_ADS]
loginCustomerId = "INSERT_LOGIN_CUSTOMER_ID_HERE"

[OAUTH2]
clientId = "INSERT_OAUTH2_CLIENT_ID_HERE"
clientSecret = "INSERT_OAUTH2_CLIENT_SECRET_HERE"
refreshToken = "INSERT_OAUTH2_REFRESH_TOKEN_HERE"

See the configuration guide for additional options.

Ruby

Configure the following keys in your google_ads_config.rb file.

  Google::Ads::GoogleAds::Config.new do |c|
     c.client_id = 'INSERT_CLIENT_ID_HERE'
     c.client_secret = 'INSERT_CLIENT_SECRET_HERE'
     c.refresh_token = 'INSERT_REFRESH_TOKEN_HERE'
     c.developer_token = 'INSERT_DEVELOPER_TOKEN_HERE'
     c.login_customer_id = 'INSERT_LOGIN_CUSTOMER_ID_HERE'
  end

See the configuration guide for additional options.

Perl

Configure the following keys in your googleads.properties file.

 clientId=INSERT_OAUTH2_CLIENT_ID_HERE
 clientSecret=INSERT_OAUTH2_CLIENT_SECRET_HERE
 refreshToken=INSERT_OAUTH2_REFRESH_TOKEN_HERE
 loginCustomerId=INSERT_LOGIN_CUSTOMER_ID_HERE

See the configuration guide for additional options.

curl

Start by using an HTTP client to fetch an OAuth 2.0 access token. This guide uses the curl command.

curl \
  --data "grant_type=refresh_token" \
  --data "client_id=CLIENT_ID" \
  --data "client_secret=CLIENT_SECRET" \
  --data "refresh_token=REFRESH_TOKEN" \
  https://www.googleapis.com/oauth2/v3/token

You can now use the access token in your API calls. The following example shows how to run a campaign report using the GoogleAdsService.SearchStream method to retrieve the campaigns in your account. This guide doesn't cover the details of reporting.

curl -i -X POST https://googleads.googleapis.com/v21/customers/CUSTOMER_ID/googleAds:searchStream \
   -H "Content-Type: application/json" \
   -H "Authorization: Bearer ACCESS_TOKEN" \
   -H "developer-token: DEVELOPER_TOKEN" \
   -H "login-customer-id: LOGIN_CUSTOMER_ID" \
   --data-binary "@query.json"

The contents of query.json are as follows:

{
  "query": "SELECT campaign.id, campaign.name, campaign.network_settings.target_content_network FROM campaign ORDER BY campaign.id"
}
Previous
Overview
Next
Multi-user authentication workflow