Google Ads Developer Blog: Demystifying OAuth2 in DFP

Ads Developer Blog

The official blog for information about the AdWords, AdSense, DoubleClick and AdMob APIs and SDKs.

set upscope changeUnderstanding some of the finer details of DFP's OAuth2 flows can come in handy when the unexpected happens. Access tokensWeb ApplicationService accountAll DFP API requests are authenticated using access tokens. You can think of these as short-lived (about one hour) passwords. When making a request, you include the access token in the HTTP header:
Authorization: Bearer ACCESS_TOKEN
Every access token is tied to a specific user and one or more API scopes. The scopes control which Google APIs the access token is valid for. The scope for DFP is:
https://www.googleapis.com/auth/dfp
Access ControlWhen authenticating as a dedicated API user like a service account, make sure that user is configured with your desired teams and role in DFP. There's no requirement that API users have administrator access. TroubleshootingOAuth2 API explorer
POST https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=MY_ACCESS_TOKEN
{
"issued_to": "1234567890-aabbccddgh123.apps.googleusercontent.com",
"audience": "1234567890-aabbccddgh123.apps.googleusercontent.com",
"scope": "https://www.googleapis.com/auth/dfp",
"expires_in": 3496,
"access_type": "offline"
}
Refresh Tokensinstalled applicationIf your refresh token stops working, there are a few possible causes:

The user you're authenticating as no longer has access to the DFP network.

Too many refresh tokens were generated for the OAuth2 client.

The user you're authenticating as has revoked access for your application.

The simplest solution to all of these is to create a new client and generate a new refresh token for a current DFP user. Remember that the refresh token is tied to the account that authorizes the application, and not the user who created the OAuth2 client. When accepting the OAuth2 authorization prompt, verify that the user in the top right corner that is logged in is correct: