I am new to Google Actions. I am building action to access my smart home device from google home/assistance. I have already filled the Account Linking details from my auth server on action console.
I have provided the Fulfillment URL on Actions tab.
When I try to link the account from Google App (i.e. Home > + > Set up device > Works with Google > [test] My_Action , it redirect to my server's Authorization, there I submit my server's username and password and it redirect back to google home page and my account is successfully linked and my devices are showing in the Google Home.
But, When I try to link my account using OAuth 2.0 (https://developers.home.google.com/cloud-to-cloud/project/authorization) it doesn't link the account.
Here are the steps I follow.
Open the URL in the browser.
https://auth-dev.iotondemand.com/oauth/authorize?client_id=client&redirect_uri=https://oauth-redirect-sandbox.googleusercontent.com/r/MY_PROJECT_ID&state=somerandomstring&scope=read+write&response_type=code&user_locale=en
It opens the login screen of my server, when I submit my credentials it redirect to the following url along with authorization code which is generated by my auth server and the state parameter.
https://oauth-redirect-sandbox.googleusercontent.com/r/MY_PROJECT_ID?code=VGdKtk&state=somerandomstring
And
'Invalid State Parameter. The Link can not be completed.'
this is written on browser.
Invalid State Parameter. The Link can not be completed.
What's wrong am I doing? I am passing some random string to my authorization url and it gives back the same string and redirect it to oauth-redirect-sandbox.googleusercontent.
My action is still in development mode. I haven't deployed it yet.
If you are able to complete account linking using the Google Home App, you are good to go with your implementation. This flow is also using OAuth2.0, where the user is sent to your authorization url to fill in credentials, then Google servers will use the authorization code you provided in this flow to retrieve access and refresh tokens from your token url. (The fulfillment url you provided is not used throughout the Account Linking process)
Related
I'm trying to setup oAuth for Stripe's Connect (Standard). In their setup documentation they say:
Step 1: Create the OAuth link To get started with your integration,
Your client_id, a unique identifier for your platform, generated by Stripe
Your redirect_uri, a page on your website to which the user is
redirected after connecting their account (or failing to, should that
be the case), set by you
Step 3: User is redirected back to your site After the user connects
their existing or newly created account to your platform, they are
redirected back to your site, to the URL established as your
platform’s redirect_uri. For successful connections, we’ll pass along
in the URL: The scope granted The state value, if provided An
authorization code. The authorization code is short-lived, and can be
used only once, in the POST request described in the next step.
The way I've implemented this is by sending the user to a React-Native WebView, and because this is a mobile application, a redirect_uri is not an option.
The problem is, I cant simply make a POST request to a url. there are user actions that must be taken inside of stripe, and ultimately stripe sends an authorization code to a redirect url.
So How can I obtain the authorization code that stripe doles out inside the WebView authorization process so I can finish the Stripe Connect user creation process?
You can use onLoadStart for WebView. Just check if the url from the synthetic event is what you specified in your stripe settings and handle accordingly.
onLoadStart={(syntheticEvent) => {
const { nativeEvent } = syntheticEvent;
if(nativeEvent.url.startsWith("YOUR_REDIRECT_URL"){
// your logic here
}
}}
Follow the steps
step 1 : login in mediator strip account, now open new tab and paste below url in new window and replace client id "ca_****" with the account which you want to connect with mediator account ( client id ), and hit the url
https://connect.stripe.com/oauth/v2/authorize?response_type=code&client_id=ca_************************&scope=read_write
step 2 : now press connect button and find the code from new url like
https://connect.stripe.com/connect/default/oauth/test?scope=read_write&code=**ac_**************************
First, I'd like to mention that problems like this had been discussed before in the topics like:
How to authenticate user with just a Google account on Actions on Google?
But I could not find any information at all related to ways of linking Google Assistant app with my own web server.
Problem:
GET https://oauth-redirect.googleusercontent.com/r/my-google-assistant-app#access_token=ACCESS_TOKEN&token_type=bearer&state=STATE always returns "Account field to link" error
A Way to Reproduce:
I created a new project in Actions on Google Console
I built an application using Dialogflow
I created a Heroku Web Server as my webhook (ex: webhook.herokuapp.com)
So everything worked just fine. I've successfully connected my Google Assistant app with my webhook.
But then I decided to send requests to my another one Heroku Web Server (ex: webserver.herokuapp.com) which needs a user to be logged in. So I decided to implement account linking of my Google Assistant app with webserver.herokuapp.com
I implemented Google-OAuth2 authorization at webserver.herokuapp.com. Also I want to mention that I used Client ID and Client Secret of my Google Assistant App
So, Google Authorization worked perfectly at my webserver.herokuapp.com
Then I enabled account linking settings for my Google Assistant app with Implicit Flow
So, that's it!
Epilogue
I open Google Assistant, tell it "Talk to my test app", then it greets me and offers me to link accounts. I say "yes".
Then I see how Google Assistant requests my login URL at webserver.herokuapp.com. Then I enter my Google email and password. As a result I logged in at my webserver! Then my webserver makes a redirection to:
https://oauth-redirect.googleusercontent.com/r/my-google-assistant-app#access_token=ACCESS_TOKEN&token_type=bearer&state=STATE
And I get the error I've described at the top of my post.
Any help would be appreciated
UPDATE with parameter information
These are my constants:
Google Assistant Project_ID = nodejs-sdk-local-test
Google Assistant Client_ID = 1067979601708-ldr3ga115es3fdo823slfnj46gjoes66.apps.googleusercontent.com
state = manually_set_state_value
The flow is I open my Google Assistant and say "Ok Google, talk to my test app", it answers my request and then I say something like "do some action which need authorization". Google Assistant app offers me to link an account and I say "Yes".
This is where Google Assistant app makes a call to my https://webserver.herokuapp.com/google-oauth2 endpoint. A purpose of this endpoint is to redirect me to the Google Login Page.
Now I'm being redirected to the Google Login Page (everything seems to be correct. client_id and state parameters are similar to the constants). This is the example of an URL where I am being redirected to: https://accounts.google.com/o/oauth2/auth?client_id=1067979601708-ldr3ga115es3fdo823slfnj46gjoes66.apps.googleusercontent.com&redirect_uri=http://webserver.herokuapp.com/complete/google-oauth2/&state=manually_set_state_value&response_type=code&scope=openid+email+profile
At the Google Login Page I enter my credentials and then I'm being redirected to the redirect_uri=http://webserver.herokuapp.com/complete/google-oauth2 endpoint. A purpose of this endpoint is to register or login me at webserver.herokuapp.com and then redirect me to another Google URL. An example of the Google URL: https://oauth-redirect.googleusercontent.com/r/nodejs-sdk-local-test#access_token=<token_omitted>&token_type=bearer&state=manually_set_state_value
So it seems that everything is correct. I logged in to my webserver.herokuapp.com, got an access token. Also project_id and state parameter in the last Google URL are similar to constants. Anyway, this Google URL returns me an error "Accounts failed to link"!
The most common cause of this is that you're not passing back the same value for state that was sent to you when Google redirected to your site. Make sure this is the same value and, for your security, make sure you validate the other parameters that are sent to you as well.
When the user is redirected to https://webserver.herokuapp.com/google-oauth2, there should be some parameters sent as part of the query. Those parameters include a state parameter. It should look something like this:
https://myservice.example.com/auth?client_id=GOOGLE_CLIENT_ID&redirect_uri=REDIRECT_URI&state=STATE_STRING&response_type=token
Note that while the client_id and redirect_uri are values that you should expect and test for, the state value is not one that you would have set. Google generates a different one every time. This is the state that you should be using later when you redirect to
https://oauth-redirect.googleusercontent.com/r/nodejs-sdk-local-test#access_token=<token_omitted>&token_type=bearer&state=STATE_STRING
Currently Google Assitant includes an easy way to request non-identifiable information about the user and a detailed flow to authenticate the user on a third party service through OAuth2. What about if all I need is have the user authenticate on Google itself? I tried filling in the account linking flow using Google OAuth2 information, but that seems not to work. If that last thing is supposed to work fluently than that would be enough of an answer.
Context: Users already authenticate only with Google on a related webpage. All I need is to link this already authenticated account with the less-authenticated account on Google Assistant.
Update, 25 Oct 2018:
As of 13 September 2018, there is now a much simpler way to access the user's account if your project uses Google Sign-In. Google Sign-In for Assistant will give you an ID Token with information about the user, including their Google ID, with their permission. This permission can be granted just using voice and is fairly streamlined.
You can combine this with a web- or app-based Google Sign-In to get their permission to access OAuth scopes if you need to access Google's APIs.
Update, 25 Oct 2017:
As of around 4 Oct or 7 Oct, Google has updated their policy (again) to restore language restricting OAuth endpoints that are valid. The terms now include
When implementing account linking using OAuth, you must own your OAuth endpoint
and it appears (from the comments below) that they now check for the Google endpoints to prevent this method from working.
At this point, the only thing you can do is setup your own OAuth2 server.
Original Post:
Broadly speaking, the auth tasks you need to do are in four parts:
Configure your project (in the cloud console) so that the Calendar API is enabled and that the OAuth2 client is correctly configured.
Configure the Action for account linking in the action console.
Configure the Actions on Google Integration for your API.AI Agent to indicate that sign-in is required.
When API.AI calls your webhook to fulfill an Intent, it will include an auth token as part of the JSON. You can use this token to make calls to the Google APIs you need.
Configure Cloud Project
You need to configure your cloud project so that it has access to the Google APIs you need and setup the OAuth2 Client ID, Secret, and Redirect URI.
Go to https://console.cloud.google.com/apis/dashboard and make sure you have the project you're working with selected. Then make sure you have the APIs you need enabled.
Select the "Credentials" menu on the left. You should see something like this:
Select "Create credentials" and then "OAuth client ID"
Select that this is for a "Web application" (it is... kinda...)
Enter a name. In the screen shot below, I used "Action client" so I remember that this is actually for Actions on Google.
In the "Authorized Redirect URIs" section, you need to include a URI of the form https://oauth-redirect.googleusercontent.com/r/your-project-id replacing the "your-project-id" part with... your project ID in the Cloud Console. At this point, the screen should look something like this:
Click the "Create" button and you'll get a screen with your Client ID and Secret. You can get a copy of these now, but you can also get them later.
Click on "Ok" and you'll be taken back to the "Credentials" screen with the new Client ID added. You can click the pencil icon if you ever need to get the ID and Secret again (or reset the secret if it has been compromised).
Configure the Action Console
Once we have OAuth setup for the project, we need to tell Actions that this is what we'll be using to authenticate and authorize the user.
Go to https://console.actions.google.com/ and select the project you'll be working with.
In the Overview, make your way through any configuration necessary until you can get to Step 4, "Account Linking". This may require you to set names and icons - you can go back later if needed to correct these.
Select the Grant Type of "Authorization Code" and click Next.
In the Client Information section, enter the Client ID and Client Secret from when you created the credentials in the Cloud Console. (If you forget, go to the Cloud Console API Credentials section and click on the pencil.)
For the Authorization URL, enter https://accounts.google.com/o/oauth2/v2/auth
For the Token URL, enter https://www.googleapis.com/oauth2/v4/token
Click Next
You now configure your client for the scopes that you're requesting. Unlike most other places you enter scopes - you need to have one per line. Then click Next.
You need to enter testing instructions. Before you submit your Action, these instructions should contain a test account and password that the review team can use to evaluate it. But you can just put something there while you're testing and then hit the Save button.
Configure API.AI
Over in API.AI, you need to indicate that the user needs to sign-in to use the Action.
Go to https://console.api.ai/ and select the project you're working with.
Select "Integrations" and then "Actions on Google". Turn it on if you haven't already.
Click the "Sign in required for welcome intent" checkbox.
Handle things in your webhook
After all that setup, handling things in your webhook is fairly straightforward! You can get an OAuth Access Token in one of two ways:
If you're using the JavaScript library, calling app.getUser().authToken
If you're looking at the JSON body, it is in originalRequest.data.user.accessToken
You'll use this Access Token to make calls against Google's API endpoints using methods defined elsewhere.
You don't need a Refresh Token - the Assistant should hand you a valid Access Token unless the user has revoked access.
After contacting Google the current situation seems to be that you should set up your own OAuth2 server, and then on the login screen of your OAuth2 server you should start the Google OAuth2 flow.
you have to have your own endpoint with Google Oauth2 - it is correct that you can't use Google Oauth itself as a provider. To use the Google OAuth service, you can use a "sign in with Google" button in your own endpoint instead.
Source: Contacting Google Actions on Google Support
Kind of speechless right now... as this seems to be a huge oversight on Google's part.
I am able to make it work after a long time.
We have to enable the webhook first and we can see how to enable the webhook in the dialog flow fulfillment docs
If we are going to use Google Assistant, then we have to enable the Google Assistant Integration in the integrations first.
Then follow the steps mentioned below for the Account Linking in actions on google:-
Go to google cloud console -> APIsand Services -> Credentials -> OAuth 2.0 client IDs -> Web client -> Note the client ID, client secret from there
-> Download JSON - from json note down the project id, auth_uri, token_uri
-> Authorised Redirect URIs -> White list our app's URL -> in this URL fixed part is https://oauth-redirect.googleusercontent.com/r/ and append the project id in the URL
-> Save the changes
Actions on Google -> Account linking setup
1. Grant type = Authorisation code
2. Client info
1. Fill up client id,client secrtet, auth_uri, token_uri
2. Enter the auth uri as https://www.googleapis.com/auth and token_uri as https://www.googleapis.com/token
3. Save and run
4. It will show an error while running on the google assistant, but dont worry
5. Come back to the account linking section in the assistant settings and enter auth_uri as https://accounts.google.com/o/oauth2/auth
and token_uri as https://accounts.google.com/o/oauth2/token
6. Put the scopes as https://www.googleapis.com/auth/userinfo.profile and https://www.googleapis.com/auth/userinfo.email
and weare good to go.
7. Save the changes.
In the hosting server logs, we can see the access token value and through access token, we can get the details regarding the email address.
Append the access token to this link "https://www.googleapis.com/oauth2/v1/userinfo?access_token=" and we can get the required details in the resulting json page.
accessToken = req.get("originalRequest").get("data").get("user").get("accessToken")
r = requests.get(link)
print("Email Id= " + r.json()["email"])
print("Name= " + r.json()["name"])
You need to implement the Oauth protocol with whatever Google Assistant app you are developing. Let me be a bit more clear:
The user is on the assistant, you need to link him to any data
you have on your App side
The access to the data you have about
your user is protected by an access token
Google then needs to
ask you for this token to have access to this resource
When
google has the token it can send it to the app so it validates every
requests to get the resource.
This is why you need to implement your own oauth server (Honestly it is just two more endpoints in your application): the identity is checked on google's side, but the link between the user and the resource to access can only be known by you.
The process above is valid, you just need to specify your own token endpoint and your own auth endpoint.
Note that if you only want to check that the user is logged in into google and get his email, you just need to implement the streamlined identity flow that does not require the /auth endpoint (Automatically Sign Up Users with Streamlined Identity Flows)
That beeing said I implemented the flow but get the same error :
expected_inputs[0].possible_intents[0]: Transactions/Identity API must be enabled before using.
When i try get access token via oauth (oauth screen with Allow button) on my local machine it works, but when i do the same on test server: i get oauth screen, i press allow and it's redirects to callback uri with code, and then app asking for token (i use PHP lib):
$client->authenticate($request->get('code'));
$access_token = $client->getAccessToken());
and i get null in response and application does not get authorized and it's not in authorized apps in google account.
I've checked redirect URLs listed in Google APIs - everything matches!
And i don't get any errors from google, it's just redirects to callback url and not adds application to authorized apps list.
But it works on local with same credentials. Any one can help me and guide where the problem can be?
Solved. I did not set redirect url before $client->authenticate($request->get('code'));
I want to integrate SkyDrive with single sign on in which users has to sign in and give consent only once in our website. After that they can access their SkyDrive files/folders to upload seamlessly.
I have created my application and did all app settings as mentioned in http://msdn.microsoft.com/en-us/library/dn659751.aspx.
I followed sample in link https://github.com/liveservices/LiveSDK-for-Windows/tree/master/src/Web/Samples/OAuthServer/Asp.net/OAuthSample
But I am getting 400 error bad request when I use REST API to get access token and refresh token.
can someone help please?
This may be a Redirect Url issue. Can you check to see if the Redirect Url that you're using is the same in the following 2 places:
When you created the app (in your app settings page -
https://account.live.com/developers/applications/summary/YOUR_APP_ID)
The redirectUrl passed as parameter in your REST API call. (GET
https://login.live.com/oauth20_authorize.srf?client_id=CLIENT_ID&scope=SCOPES&response_type=RESPONSE_TYPE&redirect_uri=REDIRECT_URL)