Re: user type external vs internal and publishing status

[Kirankumar Yenugutala]

Hi team,

Thank you so much for responding on this.

Could you please provide additional information about the behaviours, such 
as how people can access the *APP* depending on whether we choose an 
*internal* or *external* *user type*. for instance, if we choose *internal*, 
all *users with access to the Google cloud project *would be able to 
utilise the app *with / without authorization*. Similar to that, if we 
choose external as the user type, anyone with a *Gmail account *can access 
the app without authorization.

kindly provide me an explanation from the standpoint of APP security.

On Thursday, May 4, 2023 at 12:31:12 PM UTC+5:30 Google Ads API Forum 
Advisor wrote:

> Hi Kirankumar,
>
> Thank you for reaching out to us.
>
> You may see my responses below for each question:
>
> 1) Should we create a *Project in Google Console platform* to fetch data 
> from the Google Ads API? If no, what other steps must be taken?
>
>- Yes, you need to  configure a Google API Console Project for the 
>Google Ads API, as credentials for accessing Google's OAuth2 servers are 
>required in order to authenticate and authorize Google Ads users. You may 
>check this documentation for more information : 
>
> *https://developers.google.com/google-ads/api/docs/first-call/oauth-cloud-project*
>  
>
> 
>  
>
> 2) Most internet sources instruct us that after obtaining the Developer 
> token, we must create a client app in GCP console and collect clientid, 
> client,secret, and refresh token. In addition, we must specify the 
> *userType* to  external or internal.
>
>  What if we set the user type to Internal, which means that only those 
> with access to *Google Cloud Platform can view the app*? Can they access 
> the app without *authorization*
>
> Similarly, if it is an *external* user type, can anyone with a *Gmail 
> account *access the data *without authorization*? Or, once we approve the 
> authorization, only they will be able to access the data?
>
>- To answer you in general, could you confirm if the one you are 
>looking for is for the users to not be directly involved? If yes then you 
>may check this *documentation *(
>*https://developers.google.com/google-ads/api/docs/oauth/service-accounts* 
>
> *) 
>*for more information on how to access the Google Ads API with service 
>accounts. 
>- Kindly note that A *service account* 
> 
>is an account that belongs to your app instead of to an individual end 
>user. Service accounts enable server-to-server interactions between a web 
>app and a Google service. Your app calls Google APIs on behalf of the 
>service account, so users aren't directly involved. 
>- However, A service account can *only* impersonate users (email 
>addresses) in the same *Google Workspace* 
>. 
>- On the other hand, We strongly recommend using *OAuth2 desktop app 
>or web app flow* 
>
> 
>  
>instead of service accounts *unless you need a domain-specific feature* 
>(for example, impersonation). OAuth2 desktop app and web app flows do 
>require an initial user interaction for granting access to the account, 
> but 
>are much simpler to set up. 
>- For the *OAuth2 desktop app flow* 
>
> ,
>  
>you can persist a refresh token (which never expires) to obtain a new 
>access token whenever necessary. When using one of our *client 
>libraries* 
>, 
>you can authorize your app by filling out a configuration file. 
>
> 3) I see that we may also set the Publishing status to *Testing*. So 
> testing means it will provide test data? And if we want to utilize it in 
> production, should we only use it *in production*?
>
>- Kindly note that publishing status to In production is 
>for instructions to avoid the refresh token expiring in 7 days. 
>
> Since these concerns are indeed also related to authorization and the API 
> console, I would also suggest you reach out to their team via the links 
> below, as they are also equipped to provide guidance on this matter.
>
>- 
>
> *https://support.google.com/googleapi/answer/7014572?hl=en_topic=7014869* 
>
> 
>  
>- *https://cloud.google.com/support-hub* 
>  
>
> Best regards,
> [image: Google Logo] Google Ads API Team 
>
> ref:_00D1U1174p._5004Q2l9ygd:ref
>

-- 


-- 
-- 

User Type External VS Internal and Publishing status

[Kirankumar Yenugutala]

Hi All,

We will get data via the Google ADS API. I have the following questions. 
Could you please provide inline responses to the following questions? I 
have the impression that the web documentation is not very clear.

1) Should we create a *Project in Google Console platform* to fetch data 
from the Google Ads API? If no, what other steps must be taken?.

2) Most internet sources instruct us that after obtaining the Developer 
token, we must create a client app in GCP console and collect clientid, 
client,secret, and refresh token. In addition, we must specify the 
*userType* to  external or internal.

  What if we set the user type to Internal, which means that only those 
with access to *Google Cloud Platform can view the app*? Can they access 
the app without *authorization*?

 Similarly, if it is an *external* user type, can anyone with a *Gmail 
account *access the data *without authorization*? Or, once we approve the 
authorization, only they will be able to access the data?

3) I see that we may also set the Publishing status to *Testing*. So 
testing means it will provide test data? And if we want to utilize it in 
production, should we only use it *in production*?


-- 


-- 
-- 
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Also find us on our blog:
https://googleadsdeveloper.blogspot.com/
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~

You received this message because you are subscribed to the Google
Groups "AdWords API and Google Ads API Forum" group.
To post to this group, send email to adwords-api@googlegroups.com
To unsubscribe from this group, send email to
adwords-api+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/adwords-api?hl=en
--- 
You received this message because you are subscribed to the Google Groups 
"Google Ads API and AdWords API Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to adwords-api+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/adwords-api/34ae9395-616f-46a8-8ad8-e9570f7eb913n%40googlegroups.com.