I'm having this same issue. I don't have the OAuth2ClientId and
OAuth2ClientSecret defined in the config and I get the following error over
and over until I stop the console app:
Failed to get access token for service account.
{
"error" : "access_denied"
}
I'm sure this is just me not configuring the service account correctly or
something, but I can't figure out what I might have done wrong. Any
suggestions?
On Thursday, January 10, 2013 4:15:15 AM UTC-5, Danial Klimkin wrote:
>
> Hello,
>
>
> The error you are receiving is not an AdWords API error but OAuth2.0 error.
>
> First of all, you don't want to provide OAuth2ClientId and
> OAuth2ClientSecret for JWT auth, try removing it. If you still get the same
> error, send me a screenshot of the Console with this project / key over
> *email* (not to the group).
>
>
> -Danial, AdWords API Team.
>
>
>
> On Saturday, January 5, 2013 4:56:38 AM UTC+4, [email protected] wrote:
>>
>> I work for a company that uses Google AdWords, and we have a .NET
>> application (written in C#) that makes use of the Google AdWords API. We
>> are using the latest version (201209) of the Google API client assemblies
>> for .NET. The application currently uses the ClientLogin protocol for
>> authenticating, but we are trying to migrate to OAuth 2.0.
>>
>> I am fairly confident that I have gone through all of the required steps
>> to be able to successfully negotiate a request for an authentication token.
>> I am using the sample code solution that comes with the Google API client
>> assemblies in order to test this, using the “Service Account” workflow. So
>> far I have not succeeded. Within the code we call the
>> GenerateAccessTokenForServiceAccount() method of the OAuth2Provider object
>> that is the OAuthProvider property of an AdWordsUser object. The result is
>> that a Google.Api.Ads.Common.Lib.AdsOAuthException is thrown with the
>> message “Failed to get access to token for service account” that also
>> includes a JSON object with one key-value pair:
>>
>> “error” : “access_denied”
>>
>> When examining the traffic using Fiddler2, I see what looks like a
>> properly-formed request going out, according to the relevant documentation (
>> *https://developers.google.com/accounts/docs/OAuth2ServiceAccount*<https://developers.google.com/accounts/docs/OAuth2ServiceAccount>)
>>
>> …
>>
>> POST https://accounts.google.com/o/oauth2/token HTTP/1.1
>>
>> Content-Type: application/x-www-form-urlencoded
>>
>> Host: accounts.google.com
>>
>> Content-Length: 583
>>
>> Expect: 100-continue
>>
>> Connection: Keep-Alive
>>
>>
>>
>>
>> grant_type=urn%3aietf%3aparams%3aoauth%3agrant-type%3ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIzNDgzMjEzMjIyNDlAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCAic2NvcGUiOiJodHRwczovL2Fkd29yZHMuZ29vZ2xlLmNvbS9hcGkvYWR3b3Jkcy8iLCAiYXVkIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tL28vb2F1dGgyL3Rva2VuIiwgImV4cCI6MTM1NzMzMTIxNSwgImlhdCI6MTM1NzMyNzYxNSwgInBybiI6IkluZm9zcGFjZUNvcnBAZ21haWwuY29tIn0.BnD3-oPozaUInI9LexIF_wqNnIOLeGLBfv1oJOjzpHjc9q5p_-Q7A7i_V3QkqCKgV2EmWT3wU8BNUKj7YrpKThWgzKNT661uA4HiF2ZPQNYduKxouJrB7OON9BXoWBdgkSjyWb5frEzTmzklM476SEQAJvWP2djxBSGaha3Qwww
>>
>> … and a HTTP 400 response coming back that contains no meaningful header
>> information, and the aforementioned JSON object in the body.
>>
>> HTTP/1.1 400 Bad Request
>>
>> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
>>
>> Pragma: no-cache
>>
>> Expires: Fri, 01 Jan 1990 00:00:00 GMT
>>
>> Date: Fri, 04 Jan 2013 19:26:54 GMT
>>
>> Content-Type: application/json
>>
>> X-Content-Type-Options: nosniff
>>
>> X-Frame-Options: SAMEORIGIN
>>
>> X-XSS-Protection: 1; mode=block
>>
>> Server: GSE
>>
>> Content-Length: 31
>>
>>
>>
>> {
>>
>> "error" : "access_denied"
>>
>> }
>>
>> I am not sure what that response means. From what I’ve seen of other
>> failed attempts described here and on other forums, I am assuming that the
>> request is correctly formed and would normally succeed, but there is
>> something in how the client access credentials are set up on the API
>> console that is wrong enough to prevent an authentication token from being
>> granted.
>>
>> What follows is a step-by-step description of every step taken, from
>> requesting the developer token to “access_denied”. It is my expectation
>> that others who have gone before and succeeded will be able to identify
>> whatever missteps I have made and offer sufficient information to get me
>> past “access_denied”.
>>
>> 1. Using a Google AdWords MCC account, requested a developer token
>> at the AdWords API Center. This request has been approved, and a developer
>> token supplied.
>>
>> 2. For the same MCC account, logged in to the Google API Console (*
>> https://code.google.com/apis/console*<https://code.google.com/apis/console>)
>> and created a project (“API Project”). We did not register for a Project ID.
>>
>> 3. On the Services tab, we did not set up or activate any
>> services. AdWords is not listed. According to the AdWords API documentation
>> (*https://developers.google.com/adwords/api/docs/authentication*<https://developers.google.com/adwords/api/docs/authentication>),
>>
>> this step can be skipped.
>>
>> 4. On the “API Access” tab of this project, we entered branding
>> information and set up a Client ID for a Service account. This generated a
>> “client ID” for a service account which had
>>
>> a. a Client ID (012345678901.apps.googleusercontent.com)
>>
>> b. an e-mail address (*[email protected]*)
>>
>> c. a public key fingerprint (forty hexadecimal digits)
>>
>> d. a private/public key (.P12 file), which we downloaded
>>
>> 5. I unzipped the code samples from the Google API client archive
>> (awapi_dotnet_lib_15.2.0.zip) and opened the solution in Visual Studio
>> 2012. I set the ConsoleTest project as the start project.
>>
>> 6. I uncommented and edited the relevant key-value pairs in the
>> configuration file to set up the sample application to use the access
>> credentials we had generated earlier.
>>
>> <AdWordsApi>
>>
>> <!-- Fill the header values. -->
>>
>> <add key="UserAgent" value="Our_Application_Name"/>
>>
>> <add key="DeveloperToken" value="hyP0tH3t1c47D3v370p3Rt0k3N"/>
>>
>> <add key="ClientCustomerId" value="123-456-7890"/>
>>
>> <!-- To use OAuth2 as authentication mechanism, uncomment the
>> following section and comment the AuthToken and OAuth2 sections. -->
>>
>> <add key="AuthorizationMethod" value="OAuth2" />
>>
>> <!-- Use the following keys if you want to use client id and client
>> secret.-->
>>
>> <add key="OAuth2ClientId" value="
>> 012345678901.apps.googleusercontent.com" />
>>
>> <add key="OAuth2ClientSecret" value="
>> 0123456789abcdef0123456789abcdef01234567" />
>>
>> <!-- Use the following keys if you want to use a service account. -->
>>
>> <add key="OAuth2ServiceAccountEmail"
>>
>> value="[email protected]" />
>>
>> <add key="OAuth2PrnEmail" value="[email protected]"/>
>>
>> <add key="OAuth2JwtCertificatePath"
>>
>> value="
>> C:\local_file_path\0123456789abcdef0123456789abcdef01234567-privatekey.p12
>> " />
>>
>> <add key="OAuth2JwtCertificatePassword" value="super_secret_password"/>
>>
>> </AdWordsApi>
>>
>>
>>
>> 7. In all cases, I’ve provided sample values rather than actual
>> values. The ClientCustomerId value is actually the Customer ID of our
>> Adwords MCC account. The OAuth2PrnEmail is the e-mail address of that
>> account.
>>
>> 8. Even if the scope key-value pair isn’t set in the configuration
>> file, the scope property in the AdWordsUser’s configuration does get set to
>> the correct value for AdWords read/write access (
>> https://adwords.google.com/api/adwords/) before an authentication token
>> is requested. This is done by the call to AdWordsService.GetOAuthScope() in
>> the first line of the method below.
>>
>> 9. In the sample console application from Google, the exception is
>> thrown in the DoAuth2AuthorizationForServiceAccounts() method of the
>> Program class in the code file Program.cs . The highlighted line is where
>> the exception is thrown.
>>
>> <span style="background: white; co...
>> Show
>> original<https://groups.google.com/group/adwords-api/msg/da2a4cb3bc0136e3?dmode=source&output=gplain&noredirect>
>>
>
--
--
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Also find us on our blog and discussion group:
http://adwordsapi.blogspot.com
http://groups.google.com/group/adwords-api
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
You received this message because you are subscribed to the Google
Groups "AdWords API Forum" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/adwords-api?hl=en
