In the docs, the sign in functionality looks like this:
app.intent('Default Welcome Intent', conv => {
conv.ask(new SignIn('To get your account details'))
})
However, I can't find how to force logout a user who just signed in. Anyone help me please? Thanks.
"Logging out" of an account linked with Google Sign In is tricky, particularly if you're using voice matching as well, since the account sent to the Action is the same account as the one you setup the Assistant device with.
You can go to https://myaccount.google.com/permissions and remove permission from the app/Action/project. Once you do this, the Action will no longer get your user information. (This isn't Action specific - it is a core component of Google Sign In across all platforms.)
The other alternative you have is to reset your Assistant device and set it up with a new account. Then when you go to the Action with this reset device, the account won't be linked.
A explicit sign-out function does not seem to be available. However, this can be a good design decision as the user should be logged in to a particular service "as long as possibly allowed". Therefore, when releasing your apps to production, consider looking at the validity of the access_token and refresh_token on your authorisation server to control the "login period".
Related
I need to implement a standard user registration/activation workflow with Firebase. There doesn't seem to be an obvious way to implement this. When I say "standard", I mean how most email/password accounts work - not necessarily specific to Firebase. I'm sure you're familiar with this. This is the workflow:
User enters their username/password on a form with some validation and submits details
The back-end creates the user record in the database, but the account remains deactivated (i.e. user cannot authenticate - the activated flag is set to false)
The back-end sends an email to the user with a link to activate the account
The user clicks the link in their email which triggers activation. This is probably a Web API of some description.
At this point, the user record's activated flag ticks over to true, and the user can now authenticate
The link probably also has a deep link that opens the app or navigates to a web page
The user can now log into the app
How do I configure Firebase to do all this?
Currently, the app allows the user to register. I am using the Flutterfire SDK. I call createUserWithEmailAndPassword, which successfully creates the user in Firebase. But, the user is already activated. The user should have a state of "disabled" in firebase until the account becomes activated. I can't find any settings to default the user to disabled when the account is first created.
I also managed to get Firebase to send out an activation email by calling sendSignInLinkToEmail, but this call is really designed for email authentication - not email activation. Opening the link should activate the account, but I have not figured out how to do this. This documentation makes it sound like it is possible. Perhaps, the Flutterfire SDK is missing this? I don't want to allow people to log in without a password. I only want to use this call to send out an email.
What am I missing here? Is this non-standard behavior for Firebase? If so, why? If the user is allowed to use an app with an email address that is not activated, they can impersonate someone else. We need to confirm at least that they are custodians of the email address that they are claiming to have.
Do other Firebase people just not worry about this?
Lastly, I know I can achieve this by creating a collection for users in Firebase and putting an "activated" flag there. But, if I do that, I've got to write a cloud function that accepts the link and then updates the user in the collection based on the received link. But I thought this would be automatic in Firebase. If Firebase doesn't have this built-in, I have to put all the security over the top to stop users from authenticating when they have not yet activated their account.
This is a pretty valid concern. I suppose the way around this is to check whether the signed-in user is verified whenever the app is launched. The User object that is returned from Firebase Auth has an emailVerified flag. Check this page for more details.
Using this flag you can choose to show a different screen or pop-up that has a button to send a verification link to the registered email address. Until the user verifies this address, you can limit access to some of the app's screens if you want.
Please note that I have not checked if this emailVerified flag is true for sign ups using Federated login providers like Google Sign-in and Apple Sign In. You might want to check that out.
My test invocation name is "Mrs Tang", so i input "Talk to Mrs Tang", but it responds "Sorry, this action is not available in simulation"...
Does anybody know How can I resolve this error?
According to the doc:
Turn on the Web & App Activity, Device Information, and Voice & Audio
Activity permissions on the Activity controls page for your Google
account. You need to do this to use the Actions Simulator, which lets
you test your actions on the web without a hardware device.
And I had do what Jeremy Gordon suggested. To add a second google account in the GCP IAM console with a viewer action permission and then login with this second google account in an incognito window for the web simulator to work.
I had a related problem (I could test with my main developer account, but not my test credentials). I eventually got it working with the non-primary account.
The missing link for me was that when I was viewing the simulator, I was actually signed in to two accounts, my primary google account (developer account, shows up in the main frame of the page, upper right corner), and the account I authorized when 'starting' the simulator (email address shows up in the simulator frame), which was my test credentials. The second test account repeatedly gave me the "Sorry, this action is not supported in simulation" message, until I:
1) Added the test account as a Conversation API Viewer & Client in GCP IAM console
2) Visited the 'create link' (the one that comes up when you click share) in an incognito window, and signed into the secondary account there such that I was signed into only one account in that incognito window.
After that, invocations connected to the app.
Make sure you are logged into the same account you used to deploy the test action and that the deployment has been done within the past half hour or so. If you have not set all the information on the Actions on Google Console, you may need to use the invocation phrase "Talk to my test app".
I think sometimes I run into the same error. I get past it by toggling the Active switch off and on.
Same problem I encountered. You must be logged in via the secondary google account. Do logout from the account and login via the account that is paired with api.ai.
why I can't use google action in web simulator
I got this to work by saying "talk to my test app" or typing it in to the simulator prompt, that triggered my app to start in the simulator.
I had the same problem. I needed to set the location first (it defaults to Google-Headquaters), if you are in some other region (like in germany as i am).
Then go on with "Mit meiner Test-App sprechen" (Talk to my test app), or whatever it is in your language!
I did not get this message on my invocation, but on my my second input:"Sorry, this action is not available for your app.".
It turns out the simulator had left the conversation right after the invocation (and it did mention that in the small print).
This happened because I returned a FinalResponse for the invocation. And a final response is pretty final, it will terminate your conversation.
So, after a FinalResponse you can only get back in your action/conversation by a new invocation or a deep link. If you want to suggest questions/inputs, then you should return ExpectedInputs.
You might need to turn on Web & App Activity to let group members use some Google Assistant features.(if you are using organizational account)
https://support.google.com/assistant/answer/7219584?hl=en
If you are using any organization's Google Accounts then there might be an access issue. So use your own personal Gmail account.
Take a look here, organization's might not be given you access. So use your personal Gmail and follow the Docs, you will able to create your agent/ actions and able to test it with simulator as well as in android device.
At time of testing the Google Action you need to set the location to the country which you selected while developing or submitting your Google Action.
By default US is selected in testing but if your action is for one particular country only then you need to select that. You can see in image the field where you can select location
Google Smart Lock on a website
I just visited Pinterest and it has a cool feature. Somehow when I visit the site Chrome can "see" that I have an account. And instead of passively waiting it informs me pro-actively: you do have an account here: would you like to login with 1 click? yes/No
https://support.google.com/accounts/answer/6160273?hl=en
Question: I see a lot of json code examples for apps. But how can we proactively add this to a website that a user has a stored uname/passwd for?
thanks, Sean
Here's an article describing how to add Smart Lock sign-in to your website: https://developers.google.com/web/updates/2016/04/credential-management-api
Basically, add a bit of code to the (https) website like this (you can try it in the JavaScript console:
navigator.credentials.get({
password: true, // `true` to obtain password credentials
}).then(function(cred) {
// continuation which submits the credential and signs the user in
...
Here is a complete sample website: https://credential-management-sample.appspot.com/
Once the user has used this credential or you have saved it with navigator.credentials.store(), then in the future, it can retrieved automatically (without a user click).
For more information about this, check out this talk from Google I/O (details on the credential management API start at about 8 minutes).
So there are definitely many tutorials out there regarding how to integrate various individual social network authentication/registration into existing user accounts. But the scenario I can't seem to find out much information about is if a user signs into your account with different social network credentials. For example:
Scenario #1
User registers on site using site's authentication.
User then signs in/registers on site using Facebook Connect.
User then signs in/registers on site using Twitter.
How do I integrate all of these into one account?
Obviously once a user is registered, they can add other social network associations in the account settings pages. But I am more concerned if they register via the other social network not remembering they are already setup.
My general thoughts are trying to figure out a way to use the "username" or email to try and guess and present the user a way to combine accounts right there.
Anyone have any thoughts?
following up -
if your users can't remember that they've signed up previously, well, best of luck to them in general ;)
much as you described, i'm planning on giving users the option to link additional accounts once they have signed in by one means or another.
but as far as cross-checking, there's only so much you can do. many social network APIs do indeed provide email addresses (once you've busted in through OAuth) but these may be accessible only if a user has elected to make his/her address public, which is not guaranteed.
also not guaranteed is that the user used the SAME email address for each social network account, so even if you manage to retrieve an address it may or not be of any use to you.
finally, if you find matching email addresses via such means, it might be advisable to prompt the user to link accounts rather than assume he/she wants this done automatically. some people like to maintain multiple personalities. i.e. "it looks like you are also signed up with twitter - do you want to link your accounts? it will make your life seem worth living."
you might consider offering incentives to link user accounts or to provide an email address (up to you of course to figure out what these might be, based on the functionality of your website).
solution i am working on, database-side, is to maintain multiple accounts and then if link information is discovered by various means, said link is indicated in a lookup table.
an alternative is once you find a link, attempt to combine all relevant entries for the multiple accounts into one account entity - all i can say about this latter approach is that i would do so with caution as there could be a formidable level of complexity depending on the user's activity level and the complexity of your database schema.
in my (mental/actual) namespace a user who registers the old-fashioned way has a 'standard' account and one who uses a social network has an 'alias' account. then the goal becomes to define where the alias is supposed to point, i.e. create the lookup such that a subsequent login via either means retrieves the relevant information for both accounts (with a preference for displaying personal data for the 'standard' account).
btw i figured out how to make twitter OAuth behave since my last post - you can look at my other answers for details if you're interested.
JB
hi matt,
i'm working on the same problem right
now.
assuming the user starts with regular
site account (which is not
necessarily safe to assume if he sees
all the pretty "connect with XXX
network" buttons!!!), you can use
either OAuth or the javascript APIs
(facebookConnect or #anywhere -
haven't fully figured out the latter
yet and i'm not sure I recommend it as
I don't think it provides as rich an
API as do the backend libraries) to
login to the other sites.
the APIs should return certain
information after a successful
login/redirect from the social network
- such as the user ID and an ACCESS TOKEN which you can then store in your
database in some capacity associating
your 'actual' application user with
the ID of the social network.
when the user returns to the site, you
can then
1 verify cookies set by the social
network services (various schemes
typically verifying a signature, based
on sha1 or md5 hash of your
application data - by which i mean the
data you get when you register your
app with twitter/facebook, typically a
consumer key, application ID, etc. -
with the received cookies) so you know
the user has logged in with the social
network
2 find your database entry association
as described above
3 login your user manually based on
the assumption that facebook/twitter
connection is secure.
caveat: this is only as secure as your
implementation (or as secure as
facebook/twitter's implementations, if
you prefer...)
although twitter's OAuth does not
currently seem to work quite right,
their general description of the
process is pretty informative:
http://dev.twitter.com/pages/auth
good luck.
J
I have been contemplating adding FB auth to our app, but we know that our returning users might click it and complete checkout for a new item, and then be surprised to not see any of their existing orders. To solve this, when a user clicks the 'Login with Facebook' item, we are using that click to fire a dropdown menu with two options:
[ Login with Facebook ]
[ Create new account ]
[ I have an account ]
If the user clicks 'I have an account' we send them to FB auth and return email from FB to our app. We compare that email to our existing users. If we match, we add the FB creds to the user. If no match, we throw an alert:
The email you have with FB does not match any of our accounts. To log in to your existing account, login with your email below, or update the email in your Facebook account
This allows the user to create a whole new account, if they want to keep them separate, without needing a new email service. While this is an edge case, it is a feature.
When testing my app in the Simulator using a Speaker (e.g. Google Home), it always says "'MyApp' left the conversation" after successfully linking. Here is an example:
User signs up via the web site that I created for MyApp (i.e. they have an account associated with their Google email account).
User then tries to use MyApp using Google Home by saying "Talk to MyApp". They are greeted with this message:
Before you can use MyApp, you'll need to be signed in with them. To do
that, they'll need some of your info. If you want more details, say
"Tell me more. " So, can I share your name, email address, and profile
picture with them?
User says, "yes" and their account is linked.
Google Assistant responds with "Great, they found your account, and they've linked it to Google." That is followed by the line, "'MyApp' left the conversation."
Because MyApp left the conversation in step 4, the user has to say, "Talk to MyApp" once more in order to actually start using the app.
So my question is, is there a way that I can link the account and not have MyApp leave the conversation automatically? When my TokenUrl responds back to Google in order to link the account, it can just send token_type, access_token, and expires_in according to the documenation. There doesn't seem to be any other mechanism to tell it to not end the conversation but this seems like something that should be supported.
Any ideas? Thanks.
EDIT#1 to further explain setup
I have tried to create an Intent in the Dialogflow console and put "actions_intent_SIGN_IN" (from https://developers.google.com/actions/reference/rest/intents) and set it to be fulfilled by my webhook but this never fires.
In the Dialogflow console > Integration Settings, under "Explicit Invocation" I have "Welcome" (a.k.a. my Welcome intent that hands the WELCOME and GOOGLE ASSISTANT WELCOME Events. The Sign in required checkbox is checked next to this.
This is a problem with your Action, not with your OAuth server. It sounds like your Action isn't handling the Intent that reports the sign-in is a success or a request that contains the user's auth token.
Check your logs, including the logs for your webhook, to make sure there are no errors in that stage.