Actions on Google link third party service account using non-GoogleAssistant integration - authorization

I am working on Google Action for smart devices and using Dialogflow interaction schema with Java fulfillment. Fulfillment should call third party API to complete requests. For the purpose of the task, I must use a custom OAuth server. According to docs, I filled Action Account Linking information in Action Console with Grant Type: Authorization Code. For all intents including Welcome "Sign in required" is set.When testing with Google Home device or Google Home surface in Simulator menu, I get clear message "It looks like your Demo Service account is not linked yet. You can link Demo Service to your Google Account from the Google Home app." And as expected I get Linking Card in Google Home App to login and get AccessToken for third party service. Everything is OK here.
But when using Telegram integration or Phone surface in Simulator I just get "It looks like your Demo Service account is not linked yet" and nothing happen neither in Telegram, nor in Google Home App. How should user authentication for third party service be managed in this case?

Using the Actions on Google simulator, when you get the "It looks like your Demo Service account is not linked yet" you can achieve account linking by clicking on the DEBUG tab then open in a browser the url in "debugInfo". (See below)
The Phone surface simulates the Google Assistant app on Android or iOS devices. Users on these platforms will be prompted directly for account linking. (See below image)

Related

Spotify : 403 - User not registered in the Developer Dashboard

I'm making a react-native app with the Spotify API, I'm using the Authorization Code Flow & and I'm on Development mode with only one user added in "Users and access" on my Spotify dashboard: my tester, who is a part of my Spotify Premium Duo.
The app is working fine on my part, but my tester can't see anything related to her account. The /me endpoint is sending a 403 error with this message in the body : User not registered in the Developer Dashboard. Top Tracks / Top Artists endpoints are working fine with her Access Token.
I can't see any email on her Spotify account, but can't change anything because it is linked to her Facebook account. I'm also logged in with my Facebook but it's working fine, and I can see my details when fetching the /me endpoint with my access token.
If you ever stumbled upon this kind of error, any help will be appreciated !
Thank you in advance,
You can see your info using the /me endpoint because you're the owner of the app and automatically registered in the project's dashboard.
In order to use the /me endpoint on other Spotify accounts you have to register them in the dashboard of your project under "Users and access" in the top right corner.
Once the user is registered, the /me should return a 200 response containing all the user's info.
This is probably due to the fact that you're app is in development mode.
The mail to use if the user is logged on Spotify via Facebook, is the Facebook one I'd say.
NOTE: You have to provide the user's real name to grant access: it's case sensitive.

How to tie an account from a backend server to a google assistant user

I have a web application setup to handle webhook requests from an Actions-on-Google/Dialogflow application using the Google Assistant. Users don't need to sign-in to a google account in order to use my web application and I'd prefer to keep it that way, so that users can sign in with any email address.
I also want my users to be able to interact with my application using the Google Assistant, and be able to access personal/contextual data via the assistant (i.e. when a speaker says, "what's on my shopping list", the web app needs to be able to know what my means).
Currently, I have this working by using my web app to issue a unique short code to my user (in the web app UI) and then with an intent on the Assistant where the speaker says "My code is 1-2-3-4" and then my web app can identify the user from then on (by saving the userId from the webhook request to whatever user got the short code 1234 and then using that userId to lookup the user on each subsequent request.)
My question is, is there a better way to do this? Ideally, in my web app, I'd like to have something like an "Authorize Google Assistant" button, which would then link the user's google account to their web-app account, so that the conversation on the Assistant is seamless.
Has anyone done this before?
Thanks
This is the perfect use case for Account Linking with the Google Assistant.
From your users' perspective, they will start to use your Action. If they're doing so through a speaker and they haven't linked the account yet, they'll be directed to a mobile device to do so. On a mobile device, they'll be redirected to a page on your website where they will been to authenticate themselves and authorize your server to let them in through the Assistant. Once they have done so, they won't need to log in again, the accounts will be linked, and they'll be able to use the voice Action without further obstruction.
From your perspective as a developer, you'll need to setup an OAuth2 server (I suggest the code flow). That login process I mentioned is the first step in the OAuth dance, and will end up with you issuing a code to Google. They will then exchange this code for an Auth Token (with a limited lifetime) and a Refresh Token (which does not expire). They will periodically use the Refresh Token to get new, valid, Auth Tokens for this user. When the user issues a voice command, the Auth Token will be passed as a field in the JSON to your fulfillment server, and you can use this to verify who the user is and that they are authorized to use your service.

Account linking Actions on Google with App Engine Standard

I have an App Engine Standard project for API.AI fulfilment webhook. Users interact with my app through chat (Google Assistant) only—no Web interface. In summary, the app is a chat backend.
My app requires user's email to send updates. I read that I need account linking.
Based on this answer in SO, this is exactly what I did:
In GCP console → APIs & services → Credentials, I created new
OAuth 2.0 client ID, with Authorized redirect URI: https://oauth-redirect.googleusercontent.com/r/[my-project-id].
In Actions on Google console → Account linking, I chose Authorization code with:
Client ID and Client secret copied from previous step
Authorization URL: https://accounts.google.com/o/oauth2/v2/auth
Token URL: https://www.googleapis.com/oauth2/v4/token
Scopes: profile and email (initially I put fully namespaced, e.g. https://www.googleapis.com/auth/userinfo.email but somehow it got "shortened")
Testing instructions: A dummy Google account I created
In API.AI console → Integrations → Google Assistant, Sign in required for welcome intent is ticked.
The whole setup kinda works. Here's how it goes in the simulator:
Typed, "Talk to [my app]"
Received response, with login URL in the debug tab
Copy pasted the URL, login successful, redirected to Google home page
Back to simulator, typed: Talk to [my app]
Connected (auth code is passed in webhook calls, and my app can query user's email)
Two issues:
Why do I need to type Talk to [my app] twice?
My submission is rejected because "Your provided testing instructions either did not work correctly or were not substantial enough. Please ensure that you are providing everything needed for us to test your app, and that all credentials you provide work correctly."
Where did I do wrong?
EDIT: I tried using Android 6, it says "It looks like your [project] account is not linked yet," and there's a button to link. Upon clicking, it shows Google Account selector, but clicking it doesn't do anything (and no request to my server).

The Google Maps API server rejected your request. This IP, Site or mobile application is not authroised to use this API key

I have implemented the Google maps iframe embed api to my website, the map API is working correctly on desktop web browsers as well as Google Chrome for mobile.
However when i attempt to view the page of my site with the API on in mobile safari on iphone i get an error saying;
"The Google Maps API server rejected your request. This IP, Site or mobile application is not authroised to use this API key".
I Have enabled Google Map API for IOS on the google developer console and the issue still hasnt gone away. As i said the API works fine on other mobile browsers.
Does any one have any suggestions how to fix this?
Thanks, Martin
Did you create a new Client ID?
Handheld devices require "Installed Application" Client ID, not "Web Application. "

PayPal - switching from Sandbox to Live account using REST API

We tested our web application successfully using a sandbox REST API account (and test credentials).
When we wanted to put the application into production (using REST API live credentials visible on the same PayPal web site where the sandbox/text credentials were shown), we received an error from the production PayPal server on a live credit-card transaciton:
Error code : 401 with response : Server returned HTTP response code: 401 for URL: https://api.paypal.com/v1/payments/payment
We have a Business Account that is not yet 100% verified (75% verified at the moment), so we are not sure if this is caused by some technical issue or the fact that the account is not yet 100% verified.
PayPal web site is quite confusing and the process of moving the app from test to production is not clearly explained. It seems that they are migrating from some old web sites to new ones and the user is prompted to login multiple times, redirected to different URL-s... E.g. we can see our application test and live credentials on the developer.paypal.com, but not on apps.paypal.com where no apps are listed, even though the same user is logged in (owner of the business account)???
For future readers, you have to use Live Credentials, on https://developer.paypal.com go to My apps and in App details there is a link at a bottom of the page :
Click on that link and you will see live credentials.
You now click on your sandbox application and then click live at the top of the screen to get your live credentials.
For the PayPal REST api use the credentials provided on developer.paypal.com (new version of PayPal dev experience). Live calls require the account to be vetted which includes fully verified.