Hi, We have used the API *internally* for a while and follow the the OAuth Application flow to do so. We have authorised our own MCC and securely store the refresh token which we pass to the API with our developer token with each request. This process is nice and easy because, right now, all the accounts we access are inside our MCC so we can just keep all the credentials locally.
My question relates how we could release an application *externally* for others to use and which credentials would need to be distributed with the application. As I understand it there are 2 parts to the OAuth2 application flow: 1. Having the user authorise our application 2. Using credentials obtained from (1) in order to obtain data from the API for the user's adwords account. For part 1 I understand that I need to direct the user to the https://accounts.google.com/o/oauth2/auth URL with a query parameter providing our application's *client-id*, yes? Assuming the user gives consent, the application would then capture the authorization code from the redirected page and make a new request to https://accounts.google.com/o/oauth2/token passing along the authorisation code along with out *client-secret *in order to obtain a refresh token, yes? The result of part 1 is a refresh token which could then be stored on the user's machine ready for use in part 2. For part 2 I need to pass that locally stored refresh token and our *developer-token* along in order to authenticate the request (which would be handled inside a client library to ease the exchange of refresh token for authorisation token) *Surely this means that our **client-Id,* *client-secret and developer token must all be distributed with the published application? Should they therefore be encrypted in some way or is it safe to store them 'in the clear' and/or just hard-code them? If encryption is required is there client library support for this part? (specifically the .NET client library?)* Many Thanks -- -- =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Also find us on our blog and Google+: https://googleadsdeveloper.blogspot.com/ https://plus.google.com/+GoogleAdsDevelopers/posts =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ You received this message because you are subscribed to the Google Groups "AdWords API Forum" group. To post to this group, send email to adwords-api@googlegroups.com To unsubscribe from this group, send email to adwords-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/adwords-api?hl=en --- You received this message because you are subscribed to the Google Groups "AdWords API Forum" group. To unsubscribe from this group and stop receiving emails from it, send an email to adwords-api+unsubscr...@googlegroups.com. Visit this group at https://groups.google.com/group/adwords-api. To view this discussion on the web visit https://groups.google.com/d/msgid/adwords-api/5cd50c84-1a50-4f24-89cc-c1a3ef6fd234%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.