Hello,
The error you are receiving is not an AdWords API error but OAuth2.0 error. First of all, you don't want to provide OAuth2ClientId and OAuth2ClientSecret for JWT auth, try removing it. If you still get the same error, send me a screenshot of the Console with this project / key over *email* (not to the group). -Danial, AdWords API Team. On Saturday, January 5, 2013 4:56:38 AM UTC+4, [email protected] wrote: > > I work for a company that uses Google AdWords, and we have a .NET > application (written in C#) that makes use of the Google AdWords API. We > are using the latest version (201209) of the Google API client assemblies > for .NET. The application currently uses the ClientLogin protocol for > authenticating, but we are trying to migrate to OAuth 2.0. > > I am fairly confident that I have gone through all of the required steps > to be able to successfully negotiate a request for an authentication token. > I am using the sample code solution that comes with the Google API client > assemblies in order to test this, using the “Service Account” workflow. So > far I have not succeeded. Within the code we call the > GenerateAccessTokenForServiceAccount() method of the OAuth2Provider object > that is the OAuthProvider property of an AdWordsUser object. The result is > that a Google.Api.Ads.Common.Lib.AdsOAuthException is thrown with the > message “Failed to get access to token for service account” that also > includes a JSON object with one key-value pair: > > “error” : “access_denied” > > When examining the traffic using Fiddler2, I see what looks like a > properly-formed request going out, according to the relevant documentation ( > *https://developers.google.com/accounts/docs/OAuth2ServiceAccount*<https://developers.google.com/accounts/docs/OAuth2ServiceAccount>) > > … > > POST https://accounts.google.com/o/oauth2/token HTTP/1.1 > > Content-Type: application/x-www-form-urlencoded > > Host: accounts.google.com > > Content-Length: 583 > > Expect: 100-continue > > Connection: Keep-Alive > > > > > grant_type=urn%3aietf%3aparams%3aoauth%3agrant-type%3ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIzNDgzMjEzMjIyNDlAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCAic2NvcGUiOiJodHRwczovL2Fkd29yZHMuZ29vZ2xlLmNvbS9hcGkvYWR3b3Jkcy8iLCAiYXVkIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tL28vb2F1dGgyL3Rva2VuIiwgImV4cCI6MTM1NzMzMTIxNSwgImlhdCI6MTM1NzMyNzYxNSwgInBybiI6IkluZm9zcGFjZUNvcnBAZ21haWwuY29tIn0.BnD3-oPozaUInI9LexIF_wqNnIOLeGLBfv1oJOjzpHjc9q5p_-Q7A7i_V3QkqCKgV2EmWT3wU8BNUKj7YrpKThWgzKNT661uA4HiF2ZPQNYduKxouJrB7OON9BXoWBdgkSjyWb5frEzTmzklM476SEQAJvWP2djxBSGaha3Qwww > > … and a HTTP 400 response coming back that contains no meaningful header > information, and the aforementioned JSON object in the body. > > HTTP/1.1 400 Bad Request > > Cache-Control: no-cache, no-store, max-age=0, must-revalidate > > Pragma: no-cache > > Expires: Fri, 01 Jan 1990 00:00:00 GMT > > Date: Fri, 04 Jan 2013 19:26:54 GMT > > Content-Type: application/json > > X-Content-Type-Options: nosniff > > X-Frame-Options: SAMEORIGIN > > X-XSS-Protection: 1; mode=block > > Server: GSE > > Content-Length: 31 > > > > { > > "error" : "access_denied" > > } > > I am not sure what that response means. From what I’ve seen of other > failed attempts described here and on other forums, I am assuming that the > request is correctly formed and would normally succeed, but there is > something in how the client access credentials are set up on the API > console that is wrong enough to prevent an authentication token from being > granted. > > What follows is a step-by-step description of every step taken, from > requesting the developer token to “access_denied”. It is my expectation > that others who have gone before and succeeded will be able to identify > whatever missteps I have made and offer sufficient information to get me > past “access_denied”. > > 1. Using a Google AdWords MCC account, requested a developer token > at the AdWords API Center. This request has been approved, and a developer > token supplied. > > 2. For the same MCC account, logged in to the Google API Console (* > https://code.google.com/apis/console*<https://code.google.com/apis/console>) > and created a project (“API Project”). We did not register for a Project ID. > > 3. On the Services tab, we did not set up or activate any services. > AdWords is not listed. According to the AdWords API documentation (* > https://developers.google.com/adwords/api/docs/authentication*<https://developers.google.com/adwords/api/docs/authentication>), > > this step can be skipped. > > 4. On the “API Access” tab of this project, we entered branding > information and set up a Client ID for a Service account. This generated a > “client ID” for a service account which had > > a. a Client ID (012345678901.apps.googleusercontent.com) > > b. an e-mail address > (*[email protected]*<javascript:> > ) > > c. a public key fingerprint (forty hexadecimal digits) > > d. a private/public key (.P12 file), which we downloaded > > 5. I unzipped the code samples from the Google API client archive > (awapi_dotnet_lib_15.2.0.zip) and opened the solution in Visual Studio > 2012. I set the ConsoleTest project as the start project. > > 6. I uncommented and edited the relevant key-value pairs in the > configuration file to set up the sample application to use the access > credentials we had generated earlier. > > <AdWordsApi> > > <!-- Fill the header values. --> > > <add key="UserAgent" value="Our_Application_Name"/> > > <add key="DeveloperToken" value="hyP0tH3t1c47D3v370p3Rt0k3N"/> > > <add key="ClientCustomerId" value="123-456-7890"/> > > <!-- To use OAuth2 as authentication mechanism, uncomment the > following section and comment the AuthToken and OAuth2 sections. --> > > <add key="AuthorizationMethod" value="OAuth2" /> > > <!-- Use the following keys if you want to use client id and client > secret.--> > > <add key="OAuth2ClientId" value=" > 012345678901.apps.googleusercontent.com" /> > > <add key="OAuth2ClientSecret" value=" > 0123456789abcdef0123456789abcdef01234567" /> > > <!-- Use the following keys if you want to use a service account. --> > > <add key="OAuth2ServiceAccountEmail" > > value="[email protected] <javascript:>" /> > > <add key="OAuth2PrnEmail" > value="[email protected]<javascript:> > " /> > > <add key="OAuth2JwtCertificatePath" > > value=" > C:\local_file_path\0123456789abcdef0123456789abcdef01234567-privatekey.p12 > " /> > > <add key="OAuth2JwtCertificatePassword" value="super_secret_password"/> > > </AdWordsApi> > > > > 7. In all cases, I’ve provided sample values rather than actual > values. The ClientCustomerId value is actually the Customer ID of our > Adwords MCC account. The OAuth2PrnEmail is the e-mail address of that > account. > > 8. Even if the scope key-value pair isn’t set in the configuration > file, the scope property in the AdWordsUser’s configuration does get set to > the correct value for AdWords read/write access ( > https://adwords.google.com/api/adwords/) before an authentication token > is requested. This is done by the call to AdWordsService.GetOAuthScope() in > the first line of the method below. > > 9. In the sample console application from Google, the exception is > thrown in the DoAuth2AuthorizationForServiceAccounts() method of the > Program class in the code file Program.cs . The highlighted line is where > the exception is thrown. > > <span style="background: white; co... > Show > original<https://groups.google.com/group/adwords-api/msg/da2a4cb3bc0136e3?dmode=source&output=gplain&noredirect> > -- -- =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Also find us on our blog and discussion group: http://adwordsapi.blogspot.com http://groups.google.com/group/adwords-api =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ You received this message because you are subscribed to the Google Groups "AdWords API Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/adwords-api?hl=en
