Hide
Doubleclick for Publishers

Using OAuth 2.0 service accounts with DFP

Service accounts are special Google accounts that can be used by applications to access Google APIs programmatically via OAuth 2.0. A service account uses an OAuth 2.0 flow that does not require human authorization. Instead, it uses a key file that only your application can access. This guide discusses how to access the DFP API with service accounts.

Contents

  1. Prerequisites
  2. Steps to using a service account to access the DFP API
  3. Frequently asked questions

Prerequisites

Steps to using a service account to access the DFP API

  1. Generate service-account credentials or access the public credentials you've already generated. You will need to create an OAuth 2.0 Client ID and obtain a *.p12 private key file:
    1. Go to the Google Developers Console.
    2. Select a project. If you do not have one yet, create one by clicking Create Project.
    3. In the sidebar on the left, select Credentials.
    4. To set up a service account, select Create New Client ID. Specify that your application type is service account, and then select Create Client ID. A dialog box appears; to proceed, select Okay, got it. (If you already have a service account, you can add a new key by selecting Generate new key beneath the existing service-account credentials. A dialog box appears; to proceed, select Okay, got it.)

  2. Important: Protect the *.p12 key file that allows a service account to access the Google services for which it has been authorized. It is good practice to allow service accounts to only access one Google API each (using the “scope” field shown in the next section). This is a preventative measure to mitigate the amount of data an attacker can access in the situation that the service account’s *.p12 key file is compromised.

  3. Add a service account as a user to your DFP network. If you are a third party developer, you will need to have your client do this step for you.
    1. Go to your DoubleClick for Publishers network.
    2. Click the Admin tab.
    3. Ensure that API access is enabled.
    4. Click the Add a service account user button. Add service account user button screenshot.
    5. Fill in the form with your Name, Email, Teams (if applicable), and Role. Add service account user page screenshot.
    6. Click on the Save button. A message should appear, confirming the addition of your service account. Add service account confirmation screenshot.
    7. Repeat the process for all other service accounts you want to add.
    8. View existing service account users by going to the Users tab and then clicking the Service Account filter. View service account users screenshot.
  4. Now you can access your DFP network using the service account via OAuth 2.0 assertion flow. In the following code example, we use our service account with OAuth 2.0 assertion flow to obtain an access token and make a basic DFP API call that gets all networks associated with that service account.

    // Create service account credential. GoogleCredential credential = new GoogleCredential.Builder() .setTransport(new NetHttpTransport()) .setJsonFactory(new GsonFactory()) .setServiceAccountId(SERVICE_ACCOUNT_ID) .setServiceAccountScopes(ImmutableList.of(SCOPE)) .setServiceAccountPrivateKeyFromP12File(new File(P12_FILE_PATH)) .build(); credential.refreshToken(); // Construct a DfpSession. DfpSession session = new DfpSession.Builder() .fromFile() .withOAuth2Credential(credential) .build(); DfpServices dfpServices = new DfpServices(); runExample(dfpServices, session);

Frequently asked questions

Can I log into the DFP web user interface with my service account?

No, service accounts are not regular Google accounts and cannot access the DoubleClick for Publishers web user interface.

How often do I need to refresh service account access tokens?

Access tokens expire one hour after they are issued by the Google OAuth 2.0 Authorization Server. When an access token expires, the application should use the client library to fetch another access token.

What role should I set my service account to?

When creating service accounts, you should limit the role as much as possible. Creating a service account with Administrator privileges, for example, would allow a third-party to create additional, UI-accessible, users, which may defeat the purpose of your service account.