invalid_client error when using service account + domain wide delegation to authenticate with Google Ads API
I am trying to authenticate into Google Ads using the following API client for c# https://github.com/googleads/googleads-dotnet-lib. I am trying to authenticate using a service account + gsuite domain wide delegation. I have performed all of the steps in this documentation but am receiving an
invalid_client error from Google. Below is the code I am running.
GoogleAdsClient client = new GoogleAdsClient(); client.Config.OAuth2Mode = OAuth2Flow.SERVICE_ACCOUNT; client.Config.OAuth2PrnEmail = "email@example.com"; client.Config.OAuth2SecretsJsonPath = HostingEnvironment.MapPath("~/service-account-keys-downloaded-from-gcp.json"); var svc = client.GetService(Services.V2.CustomerService); var accounts = svc.ListAccessibleCustomers();
The code is supposed to authenticate on behalf of a user in a gsuite organization and list all of the accounts the user has access to. When I run the above code I get the following error.
Status(StatusCode=Unavailable, Detail="Getting metadata from plugin failed with error: Exception occurred in metadata credentials plugin. Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"invalid_client", Description:"The OAuth client was not found.", Uri:""
It seems that no matter what email I try to authenticate with I still get the same error which makes me think that there is a fundamental issue with how I am trying to authenticate.
All of the necessary fields seem to map properly into the
Config except for the client secret. I am unable to pass a client secret into the request because the service account client (auto created when enabling domain wide delegation on a service account in GCP) does not come furnished with a client secret. The docs that I have mentioned don't seem to specify how you would obtain a client secret when authenticating with a Google service account, however this seems necessary.