API access on behalf of your clients (web flow)
This guide will walk you through how to setup OAuth2 for API access on behalf of your clients using web flow.
Follow the steps for the product you're using to generate a client ID and secret, then come back to this page.
The following is an example of web application code using a single PHP file that shows how to ask a user for their permission for your application to access their Google Ads or Ad Manager account on their behalf. This client library uses the Google Auth library to handle OAuth2.
-
First, create an
OAuth2instance. You will need to fill in the redirectUri, clientId, and clientSecret you created in Step 1 above, as well as the OAuth2 scope of the ads API you're using.use Google\Auth\OAuth2; session_start(); $oauth2 = new OAuth2([ 'authorizationUri' => 'https://accounts.google.com/o/oauth2/v2/auth', 'tokenCredentialUri' => 'https://www.googleapis.com/oauth2/v4/token', 'redirectUri' => '****', 'clientId' => '****', 'clientSecret' => '****', 'scope' => '****' ]);
-
Direct the user to a consent screen where they can authorize your app.
if (!isset($_GET['code'])) { // Create a 'state' token to prevent request forgery. // Store it in the session for later validation. $oauth2->setState(sha1(openssl_random_pseudo_bytes(1024))); $_SESSION['oauth2state'] = $oauth2->getState(); // Redirect the user to the authorization URL. $config = [ // Set to 'offline' if you require offline access. 'access_type' => 'online' ]; header('Location: ' . $oauth2->buildFullAuthorizationUri($config)); exit; }
-
Assuming you've set the redirectUri to come back to this same page, first validate the state, and then use the authorization code to get an access token (and a refresh token if you requested offline access).
// Check given state against previously stored one to mitigate CSRF attack. } elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) { unset($_SESSION['oauth2state']); exit('Invalid state.'); } else { $oauth2->setCode($_GET['code']); $authToken = $oauth2->fetchAuthToken(); // Store the refresh token for your user in your local storage if you // requested offline access. $refreshToken = $authToken['refresh_token']; ... }
-
You can now use the
OAuth2object to make calls using the client library.use Google\AdsApi\AdWords\AdWordsServices; use Google\AdsApi\AdWords\AdWordsSessionBuilder; use Google\AdsApi\AdWords\v201809\cm\CampaignService; use Google\AdsApi\Common\OAuth2TokenBuilder; $session = (new AdWordsSessionBuilder()) ->fromFile() ->withOAuth2Credential($oauth2) ->build(); $adWordsServices = new AdWordsServices(); $campaignService = $adWordsServices->get($session, CampaignService::class); // Make calls using $campaignService.
