In Actions console, i try to setup account linking with 'Google Sign in' type :
in Develop/Account linking menu,
i have chosen 'Google Sign in' type
when "Google Sign In Client Information" is displayed, input fields are empty.
I understood that the input fields had to contain 'Authorization URL' and 'Token URL'.
How to get this information to insert it in my code
thanks
Thanks to the response of Amol Shiledar, I just understood:
there is no need to consider the Authorization URL and Token URLs fields.
It is enough to get the client Id (as indicated by Amol Shiledar) and to indicate it in the code of the fulfillment:
const app = dialogflow ({
clientId: CLIENT_ID
});
Now it works well :-)
Update October 2019
Google seems to have updated their Google projects again. You can now see your Client ID under the Google Sign-in option again.
The Authorization URL and Token URL are supposed to be empty. You need to provide the information yourself. The authorization URL and token URL are endpoints that you will build or a OAuth service such as auth0 that you use to verify the logins from your users to a service.
Related
I am well accustomed to the Byzantine depths of Google's documentation but this has me baffled. On this page: https://smarthome-test-suite.appspot.com/ I have the Service Account Key but not the Agent User ID.
https://developers.google.com/assistant/smarthome/tools/smart-home-test-suite tells me that to I need to:
Open the OAuth Playground tool.
Click on the gear icon in the upper right corner to open the OAuth 2.0 configuration dialog.
In the OAuth endpoints field, select Custom.
Specify the following account linking parameters, using the values you set in the Actions console when you created the smart home project. Click Close to save your changes.
Authorization endpoint: Set this parameter to the Authorization URL in the console.
Token endpoint: Set this parameter to the Token URL in the console.
OAuth client ID: Set this parameter to the same value as in the console.
OAuth client secret: Set this parameter to the same value as in the console.
How am I expected to remember parameters I set when I created the Home project? I don't see any place where the parameters are recorded for me to retrieve. Google has all this stuff. Why isn't there an idiot proof step to retrieve it?
Can anyone help me retrieve the agent user ID?
The auth and token endpoint URLs as well as the client ID and secret used to retrive your AgentUserId should match the information that you entered in the Actions console.
I am building a flutter app that needs the user to authenticate against an identity provider in order to user the app.
I am using the package simple_auth_flutter to do the authentication stuff. So far this works as expected: When clicking on the log in button, the users is queried for its credentials and after passing the correct credentials I get a valid token.
I only got an issue, when the user logs out from the identity provider. When the user clicks on the log in button he gets automatically logged in without querying for the current users credentials.
While logging out I delete the token from within the package and I revoke the token on identity providers side.
Any idea what could be the reason for this behaviour?
OIDC based Identity Providers issue a session cookie when you login. This is what enables single sign on across multiple apps.
To force a new login prompt, logout typically needs to send an End Session Request so that this cookie gets removed.
My Android sample code does this, though I am using different libraries. Not sure if Flutter has end session support?
Also worth being aware that some identity providers require vendor specific messages.
I had the same issue with my flutter app using Firebase and Microsoft as identity provider. I solved the issue by using the "prompt" parameter within the authentication request. Below you can see my code for oAuth authentication with Microsoft.
await FirebaseAuthOAuth().openSignInFlow(
"microsoft.com",
["email openid profile offline_access"],
{
'tenant': 'your tenant id',
'clientId': 'your client id',
'prompt': 'login'
},
);
Also see the Microsoft documentation where the "prompt" parameter is described in detail with all the supported values (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc).
Fixed
When you logout on Firebase you are only clearing the app's state not the browser. One possible solution is to check if your provider offers a logout endpoint which you can call in your app during logout to invalidate the browser cookies. Microsoft is an example of a provider offering this.
The user data is attached with the provider session.
https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-openid-connect-code#send-a-sign-out-request
BEST SOLUTION:
User? user =
await firebaseAuthOAuth.openSignInFlow(provider, scopes, parameters);
Make sure parameters has a prompt key with an applicable value mentioned here: Fixed:
User? user =
await firebaseAuthOAuth.openSignInFlow(provider, scopes, parameters);
Make sure parameters has a prompt key with an applicable value mentioned here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-the-sign-in-request
The only one I got to work to an acceptable criteria is:
'prompt': 'select_account'
My provider, scopes, and parameters:
'microsoft.com', ['email'], {'prompt': 'select_account'}
The only one I got to work to an acceptable criteria is:
'prompt': 'select_account'
My provider, scopes, and parameters:
'microsoft.com', ['email'], {'prompt': 'select_account'}
Looking at the docs for the appRequest for actions on google https://developers.google.com/actions/reference/rest/Shared.Types/AppRequest
The user object says that the userId property is now deprecated and that we should use the idToken instead https://developers.google.com/actions/reference/rest/Shared.Types/AppRequest#user
However testing out a V2 action in the simulator, my response only includes a userId property and not the idToken
I'm definitely using V2 of the API and this doesn't say it's an optional field when linking accounts (for what it's worth I haven't done any account linking).
Should this field be included?
That's not quite what that page says.
Yes, it says the userId property is deprecated - it does not show any replacement there. It was deprecated without a direct replacement, although you can create one yourself if needed.
It does not say the idToken replaces it, although you can get a unique ID from the idToken, it doesn't do so directly. It also doesn't give you the idToken unless you take some steps to enable it.
To use the idToken to get a user identifier, you need to do a few things:
Turn on Google Sign In for Assistant.
Request the user sign into your Action using Google Sign In for Assistant or have them sign via other means (Google Sign In for the web or for mobile) to the same project.
When you get the idToken, verify and extract the JWT payload. If you're using the action-on-google library, it will do this for you. If not, this is a standard JWT token which you should verify and the payload includes the ID.
I have a Google Assistant (Actions on Google) app where I want the user to log in. I use actions-on-google with DialogFlow which in turn has a webhook.
For a specific action where signin in required, in the webhook, I launch app.askForSignIn();
I have an intent called actions.intent.SIGN_IN which has an event called actions_intent_SIGN_IN. On this action, I check app.getSignInStatus() and I get null for this.
Am I missing something? Will Google Assistant / Actions on Google do something to extract link the token and scopes from oauth and associate it with the user?
I was able to make it work on my app but I'm not calling app.askForSignIn(), instead I've checked the option "Sign in required" on the DialogFlow integration with Google Assistant, then I provided all informations regarding client ID and secret and Authorization and Token URLs in the "Account linking" section of the App's overview on the Action on Google console.
I basically followed this guide.
PS: To make it work on the console either you have to sign in from a smartphone or call the auth URL directly in a browser window.
hi rochan i had same problem a while ago see my post its still an open issue for me. Google Actions SDK Sign-In implicit flow
But it hadnt much priority for me. What you can try is using a google assistant enabled smartphone and test there instead of inside the simulator. Maybe it works.
You have to enable the Sign in Required option in Google assistant integration settings in dialogflow
After enabling this, Use Account Linking option in the actions-on-google overview and follow the below steps
We have to enable the webhook first and we can see how to enable the webhook in the dialogflow fulfillment docs.
Open your project under google cloud console
1. Go to google cloud console -> APIsand Services -> Credentials -> OAuth 2.0 client IDs -> Web client -> Note the client ID, client secret from there
-> Download JSON - from json note down the project id, auth_uri, token_uri
-> Authorised Redirect URIs -> White list our app's URL -> in this URL fixed part is https://oauth-redirect.googleusercontent.com/r/ and append the project id in the URL
-> Save the changes
Actions on Google -> Account linking setup
1. Grant type = Authorisation code
2. Client info
1. Fill up client id,client secrtet, auth_uri, token_uri
2. Enter the auth uri as https://www.googleapis.com/auth and token_uri as https://www.googleapis.co.in
3. Save and run from google assistant on some device.
4. It will show an error while running on the google assistant, but dont worry.
5. Come back to the account linking section in the assistant settings and enter auth_uri as https://accounts.google.com/o/oauth2/auth
and token_uri as https://accounts.google.com/o/oauth2/token
6. Put the scopes as https://www.googleapis.com/auth/userinfo.profile and https://www.googleapis.com/auth/userinfo.email
and weare good to go.
7. Save the changes.
In the hosting server logs, we can see the access token value and through access token, we can get the details regarding the email address.
Append the access token to this link "https://www.googleapis.com/oauth2/v1/userinfo?access_token=" and we can get the required details in the resulting json page.
Additionally, to get the Username and email address, you can use this below snipet
accessToken = req.get("originalRequest").get("data").get("user").get("accessToken")
r = requests.get(link)
print("Email Id= " + r.json()["email"])
print("Name= " + r.json()["name"])
I would like to implement the Streamlined Identity Flow base on this documentation:
https://developers.google.com/actions/identity/oauth2-assertion-flow
I created my server (Node.js + node-oauth2-server) and successfully tested with OAuth 2.0 Playground.
Authorization code flow implemented, account linking enabled.
According to the documentation: "When Google needs to access your service's resources, and the user is signed in to their Google Account, Google sends a signed JWT with information about the user to your token exchange endpoint.".
The expected request is:
POST /token HTTP/1.1
Host: oauth2.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&intent=ACTION&assertion=JWT&consent_code=CONSENT
The problem is that there is no such request, the token endpoint get called with grant_type=authorization_code without any JWT information.
I tried the Google Account Linking Demo and the Action simulator, same results.
Why is the JWT grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer request is missing? What should be changed in order to receive such requests?
I encountered the same problem. In my case, every time I validated the "Quick account linking" I had an error during the tests with the simulator. And as a result, the 'seamless account linking' was not engaged.
It was enough that I fill the field: Link to Terms of Service 'in App information for the simulator to start test without error.
I saw then arrive the screen described in the doc "Exchange JWT assertions for tokens" which allows to select a google account
then google sent to my OAuth2 server a request with grant_type = urn: ietf: params: oauth: grant-type: jwt-bearer
and I saw the arrival of the famous JSON Web Token (JWT)
(For the test authentication, you have to use https://gala-demo.appspot.com/ with the name of the project with _dev).
In my case, now, seeamless account linking works well.
I hope It can help.