Context
The Google Ads integration within SAP Marketing Cloud and SAP Marketing used OAuth out-of-band (OOB) flow to complete the OAuth tokens exchange with Google Identity Services (GIS).
OAuth out-of-band (OOB) is a legacy flow developed to support native clients which do not have a redirect URI like web apps to accept the credentials after a user approves an OAuth consent request. The OOB flow poses a remote phishing risk and needs to be migrated to an alternative method to protect against this vulnerability.
Google announced that the OOB flow is deprecated as of Oct 3, 2022. Please refer to Google blog post learn more about the deprecation.
The integration package version 3.1.0 replaces the OAuth OOB flow with Google OAuth client, and the configuration guide includes the information about how to setup Google OAuth client and configure the OAuth authentication grant in SAP Cloud Integration. The configuration guide is intended for customers, who haven’t enabled the Google Ads integration with in SAP Marketing Cloud or SAP Marketing.
This blog post is mainly for the customers already running the Google Ads integration, and provides detailed instructions on how to complete additional configuration before deploying the artifacts in integration package version 3.1.0. Please don’t plan or start of the integration package update to version 3.1.0 until you finish reading this blog post. The instructions in this blog post are for Cloud Integration tenants in the SAP Cloud Platform Neo environment.
Impact
The deprecation of OOB flow mainly impacts the customers, who want to request a new authorization codes for OAuth token reset.
If you need to reset your OAuth token immediately, please complete steps 1 to 3 with priority. Otherwise, take the time to plan and complete the following steps to allow a smooth update of the integration package with minimal disruption of the productive systems.
Instructions
Step 1. Create your Google OAuth Client
configuration step for SAP Marketing Cloud
configuration step for SAP Marketing
Step 2. Setup OAuth Authorization code grant in your SAP CIoud Integration tenant
configuration step for SAP Marketing Cloud
configuration step for SAP Marketing
Ensure that your OAuth authorization code is in status “Deployed”. If you face any errors completing the authorize action on OAuth authorization code, there is something wrong with the values in the OAuth authorization code configuration, for example, extra white space at the end of the URL.
Step 3. Update the Google Ads Integration with SAP Marketing Cloud or SAP Marketing Integration package to version 3.1.0
The following instructions to be completed in your SAP Cloud Integration tenant.
Step 3.1: Deploy the artifacts with existing OAuth tokens
– Deploy Google Ads API Common script collection.
– Deploy the iFlow Read OAuth Token in Cloud Integration, with parameter USE_OWN_GOOGLE_OAUTH_CLIENT set to false
– Re-deploy the following iFlows related to Google Ads API calls
- Create Customer List in Google Ads
- Read Accounts from Google Ads
- Read Campaign Performance Report from Google Ads
- Read Campaigns from Google Ads
After completing the above steps and configurations, the integration content still uses old OAuth tokens from OOB flow. You can do a quick test to verify whether integration is still working by doing the following: open the Campaigns application, check the value help of Google Ads Account. You should see the list of Ads accounts linked to your Google Ads manager account.
Step 3.2: Switch to new Google OAuth client
– Configure parameter USE_OWN_GOOGLE_OAUTH_CLIENT as true, and deploy the iFlow Read OAuth Token in Cloud Integration.
– Run a quick test on the value help of the Google Ads Account . If the test failed, you can switch back to the old OAuth tokens, by deploying iFlow Read OAuth Token in Cloud Integration with parameter USE_OWN_GOOGLE_OAUTH_CLIENT as false.
The common issue is related to the expired OAuth tokens. To analyze the error, do the following:
- Go to message monitoring and look for the failed messages of related iFlows. Check if error details contain information similar to “Access token request via refresh_token grant type for OAuth2 Authorization Code credential ‘GoogleAdsOAuth’ failed after 5 retries”.
- If the error is identified, it’s likely that your Google Cloud Platform project with an OAuth consent screen is configured for an external user type and a publishing status of “Testing”. The issued refresh token expires in 7 days and you need to reauthorize the OAuth authorization code. To obtain a long-term OAuth token in this case, your Google app needs to have the publishing status “In production”.
For more information, please refer to Google’s support documents about OAuth token expiration at Refresh Token Expiration and about publishing status at Setting up your OAuth Consent Screen.
– Test all the use cases related to the Google Ads integration to ensure everything is working fine before approaching the next step.
Step 4. Clean up contents and artifacts no longer in use from the SAP Cloud Integration tenant
The following iFlows are no longer in use and should be undeployed
- Authenticate User Access to Google Ads
- Refresh OAuth token from Google
- Set scheduler for Google token exchange
Delete the following Global variables from monitor view-> Manage Variables
- G_ADS_ACCESS_TOKEN
- G_ADS_REFRESH_TOKEN
- G_CODE_HASHCODE
Additional recommendations for communication between SAP Marketing Cloud/SAP Marketing and SAP Cloud Integration tenant
Enable certificate–based authentication between SAP Marketing Cloud/SAP Marketing and your SAP Cloud Integration tenant.
For SAP Marketing Cloud, do the following:
- Go to SAP Marketing Cloud, choose the Communication Systems app, and select the entry created for your Google Ads integration. Usually it’s pointing to your SAP Cloud Integration tenant. Complete steps 6-8 in Set Up the Communication System. The purpose is to obtain the client certificate used for outbound communication from SAP Marketing Cloud to SAP Cloud Integration tenant.
- Set Up the Certificate-to-User Mapping in the SAP Cloud Integration Tenant
For SAP Marketing
Summary
By completing the above steps, you have migrated to Google OAuth Client, and setup the certificate-based authentication. With this integration package update, the Google Ads API is also updated to version 11.
In case of issues
Please understand that this blog is for sharing information about the integration package update for Google Ads integration with SAP Marketing and SAP Marketing Cloud. In case you face any issues, please create an SAP support ticket by using the component CEC-MKT-SEM-PSI.