I have a web application setup to handle webhook requests from an Actions-on-Google/Dialogflow application using the Google Assistant. Users don't need to sign-in to a google account in order to use my web application and I'd prefer to keep it that way, so that users can sign in with any email address.
I also want my users to be able to interact with my application using the Google Assistant, and be able to access personal/contextual data via the assistant (i.e. when a speaker says, "what's on my shopping list", the web app needs to be able to know what my means).
Currently, I have this working by using my web app to issue a unique short code to my user (in the web app UI) and then with an intent on the Assistant where the speaker says "My code is 1-2-3-4" and then my web app can identify the user from then on (by saving the userId from the webhook request to whatever user got the short code 1234 and then using that userId to lookup the user on each subsequent request.)
My question is, is there a better way to do this? Ideally, in my web app, I'd like to have something like an "Authorize Google Assistant" button, which would then link the user's google account to their web-app account, so that the conversation on the Assistant is seamless.
Has anyone done this before?
Thanks
This is the perfect use case for Account Linking with the Google Assistant.
From your users' perspective, they will start to use your Action. If they're doing so through a speaker and they haven't linked the account yet, they'll be directed to a mobile device to do so. On a mobile device, they'll be redirected to a page on your website where they will been to authenticate themselves and authorize your server to let them in through the Assistant. Once they have done so, they won't need to log in again, the accounts will be linked, and they'll be able to use the voice Action without further obstruction.
From your perspective as a developer, you'll need to setup an OAuth2 server (I suggest the code flow). That login process I mentioned is the first step in the OAuth dance, and will end up with you issuing a code to Google. They will then exchange this code for an Auth Token (with a limited lifetime) and a Refresh Token (which does not expire). They will periodically use the Refresh Token to get new, valid, Auth Tokens for this user. When the user issues a voice command, the Auth Token will be passed as a field in the JSON to your fulfillment server, and you can use this to verify who the user is and that they are authorized to use your service.
Related
Good morning.
I use google calendar API.
My program create a connection with the google calendar of multiple users.
From each user, i have their credential.json, but when the app start the first time show the browser quickstart confirm. How i can skip this step?
Thanks anticipated
I think you have seriously misunderstood how Oauth2 works.
You the developer goes to Google developer console and registers your application. If you will be requesting data from other users you will need to create Oauth2 credentials this will give you credeitnals.json file used by your application to request authorization of a user.
When each of your users runs your application they will be requested to consent to your application authorizing their data. If they do you will be granted an access token which gives you access to their data, this access token will expire after one hour. If you have also request offline access then you will also have a refresh token. If you store this refresh token some place then you will be able to access the users data when ever you need to by using it to request a new access token.
As for the unverified app screen, when you create your application it is basically in developer state, this is so that you can build and test your application. When you are ready to go to production you can request that your application be verified by google
Once your app has been verified the unverified app screen will stop showing up.
I have searched long and far for this on Google Identity documentation but my question seems to be out of it's scope (https://developers.google.com/identity/protocols/OAuth2).
This is what I have:
I have an app that is using Google's PHP Client library to authenticate a user via oAuth2. My application stores the retrieved token & refresh token from a user. I am able to use this token and refresh token to pull in information from various Google API's (Drive, Calendar, Mail, etc). I am also storing a cookie in browser to keep the user logged in to the application when the user closes the browser. I have created a simple way for users to login to the application via a QR code that matches up their stored token and refresh token. After the first login they are able to simply use a badge to login to the application.
This is what I want but don't know how to do
When a user logs into the application with their QR badge everything work perfectly (I am still able to pull in anything via the PHP Client Library/Google API's), however when a user goes to Gmail, Drive, or other Google service, Google is asking them to login (it's because they are not technically authenticated with accounts.google.com (only my application)). Is there a way to programmatically authenticate a user to accounts.google.com via a stored token/refresh token?
I was searching for a proper way to implement authentication of users with Google accounts into an app I'm developing. One thing led to another and I found this:
https://github.com/thephpleague/oauth2-google
They have a few implementations depending on how you may wish to implement OAuth2 (via separate repositories). I believe this directly answers your question, albeit 3.4 years later. Hopefully it will help someone else who is looking for this info.
Twitter API allows to update "the authenticating user’s current status", as explained in the documentation page.
What I'd like to achieve instead is to update another user's current status. Consider a magazine's twitter account. I'd like different people to be able to update the magazine's status. Tweetdeck allows this, but it also allows a whole lot of other things like access to Direct Messages. I only want to provide certain authenticated users an interface (similar to Twitter's post-a-tweet interface) to post status and images to the shared account.
I could not find a simple explanation of how to use Twitter API to achieve the above functionality. Could someone please help?
If you have an app that implements the status update API and it is delivered to different people and they authorize the app with the magazine's twitter account, then the app will update that status. I can show an example also with code if this is what you're asking. However the main point is that, once a user has authorized the app, she/he doesn't need to be connected with the shared login any longer because the app will do that on the magazine's behalf.
BTW, similar question here: Twitter API: post on behalf of whom?
Edit
Just to summarize the comments:
The standard OAuth authentication requires the following main steps
1) to develop an app (registered with OAuth consumer key and secret) that implements the API update status 2) to install and authorize the app: during this step the onwer will be requested to enter the credentials of the passive account in a Twitter link opened with the browser, 3) then - after a fallback - the app will store the access token and any user of the app will be able to update the status without login
Once you have developed an app that can post tweets on behalf of a passive twitter account using the standard OAuth, you could make that functionality available to the authenticated users of a website.
While implementing the Facebook Connect to a web application , its possible to show Facebook Sign up page in a pop up and once logging in and Granting permissions are complete, its possible to Authenticate Again in PHP and to get the necessary details of the user, - id, email etc.
I believe, thats secure because, the User Insertion is not based on the Ajax Request Parameters.
Is it possible to do the same with Google Plus Login also ?
Means - Logging in to Google - Using Javascript SDK, asking permissions, Authenticating all done in a Pop Up Window. and then, Creating a new user with the Help of google-api-php-client ??
Yes, what you're trying to do is outlined with https://developers.google.com/+/web/signin/server-side-flow which includes some PHP code samples to help you do this. In general, the steps at authentication time are:
User clicks the "Sign in with Google" button which may pop-up a new window at Google prompting them to log in and authorize your webapp.
After they do so, a one-time code is sent to a JavaScript callback you specify.
Your Javascript method sends this code to your PHP server.
Your PHP server uses the client library to contact Google's server and exchange this one-time code for an access token and refresh token, which you keep and use to perform actions on the user's behalf.
I'm currently designing a website (on google app engine) in which user can register from multiple sources (classic registration, google account login, facebook login, or maybe OpenID or OAuth).
I'm a bit confused with all this, i don't know what's the best behavior for this.
Should i try to associate accounts automatically when using the same email address ?
Should i dissociate accounts (meaning that if you use Google login when you registrated with classic user/password, it will fail) ?
Should i send verification emails for classical registration, or allow user to use the website and just send a "welcome" email ?
I'd like the website to be as easy as possible, but we may put some commercial features on it later. Do you have any advice on the user auth system to develop ?