Google Ads API accounts missing - ruby

I'm developing integration with Google Ads API using their Ruby gem library.
I have an approved oAuth2 account for the Ads scope with an approved developer token that allows any external user to connect with our API.
I have a Google Ads account that manages our own Ads account and two other accounts.
When I authenticate with the API and approve it, I then grab the account with
graph = get_accounts_graph()
Apps::GoogleAds::Account.get_accounts_map(graph)
This surprisingly returns just ONE Ads account, and one that belongs to a client that we manage. Our own two Ads accounts are missing.
So I tried to compare between our client's account and our own.
Under https://ads.google.com/aw/accountaccess I can clearly see we have admin rights to our two ad accounts, just like we do to the client account.
Am I missing some setting somewhere? Has anyone experienced this before?

I ran into this issue at the beginning. The sample in the API client libraries (which I'm going to assume you are using here), calls the customer service
customer_service.list_accessible_customers()
There's actually two different services for retrieving customer account IDs. The customer service only allows access to accounts that are added as direct admins on each account. This is an important distinction as manager accounts don't fall into this category.
What you need to call is the regular GoogleAdsService (not the customer service!) and put your request in the query itself..
query = "SELECT customer_client_link.client_customer FROM customer_client_link"
This will give you a list of account IDs as resource names, not accessible accounts. And you can iterate over them as usual.
Hope that helps.

Related

Google API Authentication for App That Only Accesses One Account

Should I use a Service Account or an OAuth 2.0 Client ID?
I'm struggling to understand Google's documentation on authenticating for their APIs. I'm creating a basic application that will help users add and modify Google Calendar events for a single Google account (the account is shared between all users). I only need the application to access that one account, it'll never need to access any others.
It seems to me that Service Account would be best for this, but Google's documentation suggests Service Accounts should only be used for automated processes (unless I'm misunderstanding). For instance this page contains the following, describing when to use Service Accounts.
Would my application qualify as acting on the users behalf?
If so, I would want to use OAuth Client ID credentials, which will ask the user to sign in to a google account. In this case, is there a way I can guarantee they only sign in to the one account I want modified?
I can't find any decent documentation on the OAuth authentication requests to figure this out myself. If there is any could you point me there?
I'm sure I'm misunderstanding something basic here, but thank you for any help!
First off you should know that you can only use service accounts with Google aclendar api if you have a google workspace domain account.
You can then set up a calendar and a domain user that the service account can act on behalf of to control the access of that calendar.
Assuming that your application is going to preform all actions on this calendar then yes i would say that you could use a service account for this. If your app bacly has a ui with a calendar on it your just using google calendar to store the data.
However if you intend to share this calendar with the users themselves, this way they could see it within their own google Calendar account. Im not sure a service account would be the way to go.
If you want the users to be able to see it and make changes then you may want to just use Oauth2. Grant them access to the calendar and then request access to their calendar account.
Drawback to that option is going to be the verification process. You will get access to all the users calendars and your going to need write access.
If you can go with a service account you really should consider it it will save you a lot of hassle with verification.

can a single OAuth 2.0 Client IDs Credential work for different Domeins in other gsuite accounts?

We have Gsuite account where we created a OAuth 2.0 Client IDs (picture below) in order to implement our client application to users for Single sing on using (Using OAuth 2.0 for Web Server Applications: https://developers.google.com/identity/protocols/oauth2/web-server). Is this ClienId sufficient to have in order for any private gmail domein to have access to our app thru sso? Is there a limitations of domains our app might have linked to this clientID? many of our clients have their own Gsuite account, but since we host the application, I imagine they don't have to create a clientID for every single gsuite account right? I tested and with different domain outside of our gsuite account and it works. I was just wondering what could go wrong in terms of limitations of domains or users?
Thanks guys appreciated.

Using a Google Brand Account with internal OAuth API Project

I am currently creating an application for personal/internal use only that will help me upload and manage youtube videos on a number of brand accounts I have. Due to the internal nature of the application, I have listed the User Type on my OAuth consent screen is "Internal". I have set authentication up using OAuth Client ID and this works as expected for my main account.
However, when I attempt to use the same application for a brand account associated with that main account the authentication failed with the error "Error 403: org_internal" stating "This client is restricted to users within its organization.". The brand account I am trying to use is owned by the main account for which the authentication works and so I would expect this brand account to also belong to my organisation and therefore be able to use the application however this doesn't seem to be the case.
Is there something I can do to make my application work with this brand account, or some way I can associate my brand account with my organisation so that this works. I really don't want to have to go through verification for an external user type as this requires websites, privacy policies, terms and conditions and even a video detailing how the data will be used, which is massively overkill for an application I just want to use on my own personal account.
Thanks.

Google service account email does not show up when trying to share a google calendar

I'm trying to set up a google service account for Google Calendar API to create and update events for my specific calendar.
I've set up my service account, got the credential keys and also enabled the domain wide delegation. For most of the part it does work, however I can not access my specific calendar (not able to share it with my service account).
When I paste the service account email to the share textbox in google calendar settings it does not show anything to add.
This is a really frustrating blocker, so if anyone has encountered this or has any insights it would be greatly appreciated :)
You do not need to explicitly share your calendar with the service account.
If you want to create an event with your service account for your calendar, you need to set up your service account in such a way that it impersonates you.
The official Google documentation gives examples of how to perform Perform G Suite Domain-Wide Delegation in different languages. It is also important to do so in Apps Script.
Important: In your Admin console you need to Manage API client access and give the service account the necessary scope
(https://www.googleapis.com/auth/calendar.events) to create events on
your behalf.

Google Sign-in identify account tied to a school

I'm using Google Sign-in to register and login users to my web app.
We are an edtech product, so I would like to make sure users are registering with a google account that is tied to a school and not using their personal google accounts.
Is this possible?
I don't see a field in user that would indicate this. I also can't find confirmation as to whether or not school google accounts can have an #gmail.com email or if they must use a custom domain.
Note that these account may or may not be using Google Classroom, so I can't rely on that.
Unless you have a List of the "school" accounts and can test against that there is no way for you to know.
Google is not going to tell you if its a school google account. They may know if its a google classroom account but that kind of information is not shared at login time. Probably due to user privacy.

Resources