How to authenticate user with just a Google account on Actions on Google?

by

Update, 25 Oct 2018:

As of 13 September 2018, there is now a much simpler way to access the user’s account if your project uses Google Sign-In. Google Sign-In for Assistant will give you an ID Token with information about the user, including their Google ID, with their permission. This permission can be granted just using voice and is fairly streamlined.

You can combine this with a web- or app-based Google Sign-In to get their permission to access OAuth scopes if you need to access Google’s APIs.

Update, 25 Oct 2017:

As of around 4 Oct or 7 Oct, Google has updated their policy (again) to restore language restricting OAuth endpoints that are valid. The terms now include

When implementing account linking using OAuth, you must own your OAuth endpoint

and it appears (from the comments below) that they now check for the Google endpoints to prevent this method from working.

At this point, the only thing you can do is setup your own OAuth2 server.

Original Post:

Broadly speaking, the auth tasks you need to do are in four parts:

  1. Configure your project (in the cloud console) so that the Calendar API is enabled and that the OAuth2 client is correctly configured.
  2. Configure the Action for account linking in the action console.
  3. Configure the Actions on Google Integration for your API.AI Agent to indicate that sign-in is required.
  4. When API.AI calls your webhook to fulfill an Intent, it will include an auth token as part of the JSON. You can use this token to make calls to the Google APIs you need.

Configure Cloud Project

You need to configure your cloud project so that it has access to the Google APIs you need and setup the OAuth2 Client ID, Secret, and Redirect URI.

  1. Go to https://console.cloud.google.com/apis/dashboard and make sure you have the project you’re working with selected. Then make sure you have the APIs you need enabled.

  2. Select the “Credentials” menu on the left. You should see something like this:

Credentials screen

  1. Select “Create credentials” and then “OAuth client ID” Create credentials

  2. Select that this is for a “Web application” (it is… kinda…)

  3. Enter a name. In the screen shot below, I used “Action client” so I remember that this is actually for Actions on Google.

  4. In the “Authorized Redirect URIs” section, you need to include a URI of the form https://oauth-redirect.googleusercontent.com/r/your-project-id replacing the “your-project-id” part with… your project ID in the Cloud Console. At this point, the screen should look something like this:enter image description here

  5. Click the “Create” button and you’ll get a screen with your Client ID and Secret. You can get a copy of these now, but you can also get them later. enter image description here

  6. Click on “Ok” and you’ll be taken back to the “Credentials” screen with the new Client ID added. You can click the pencil icon if you ever need to get the ID and Secret again (or reset the secret if it has been compromised).

enter image description here

Configure the Action Console

Once we have OAuth setup for the project, we need to tell Actions that this is what we’ll be using to authenticate and authorize the user.

  1. Go to https://console.actions.google.com/ and select the project you’ll be working with.

  2. In the Overview, make your way through any configuration necessary until you can get to Step 4, “Account Linking”. This may require you to set names and icons – you can go back later if needed to correct these.

enter image description here

  1. Select the Grant Type of “Authorization Code” and click Next.

enter image description here

  1. In the Client Information section, enter the Client ID and Client Secret from when you created the credentials in the Cloud Console. (If you forget, go to the Cloud Console API Credentials section and click on the pencil.)

  2. For the Authorization URL, enter https://accounts.google.com/o/oauth2/v2/auth

  3. For the Token URL, enter https://www.googleapis.com/oauth2/v4/token

  4. Click Next

enter image description here

  1. You now configure your client for the scopes that you’re requesting. Unlike most other places you enter scopes – you need to have one per line. Then click Next.

enter image description here

  1. You need to enter testing instructions. Before you submit your Action, these instructions should contain a test account and password that the review team can use to evaluate it. But you can just put something there while you’re testing and then hit the Save button.

Configure API.AI

Over in API.AI, you need to indicate that the user needs to sign-in to use the Action.

  1. Go to https://console.api.ai/ and select the project you’re working with.

  2. Select “Integrations” and then “Actions on Google”. Turn it on if you haven’t already.

  3. Click the “Sign in required for welcome intent” checkbox.

enter image description here

Handle things in your webhook

After all that setup, handling things in your webhook is fairly straightforward! You can get an OAuth Access Token in one of two ways:

  • If you’re using the JavaScript library, calling app.getUser().authToken

  • If you’re looking at the JSON body, it is in originalRequest.data.user.accessToken

You’ll use this Access Token to make calls against Google’s API endpoints using methods defined elsewhere.

You don’t need a Refresh Token – the Assistant should hand you a valid Access Token unless the user has revoked access.

More Related Contents:

  1. Force google account chooser
  2. invalid_client in google oauth2
  3. Can a public IP address be used as Google OAuth redirect URI?
  4. Your Google Account is missing a delivery address. You can add an address, then come back and try again
  5. How do I authorise an app (web or installed) without user intervention?
  6. Refused to display in a frame because it set ‘X-Frame-Options’ to ‘SAMEORIGIN’
  7. 403 Error – Thats an error. Error: disallowed_useragent
  8. The signing fingerprint you specified is already used by another Android OAuth2 client
  9. Google Home Authorization Code and Authentication with Google Account
  10. Restrict Login Email with Google OAuth2.0 to Specific Domain Name
  11. Why do access tokens expire?
  12. Error: Could not load the default credentials (Firebase function to firestore)
  13. How can I verify a Google authentication API access token?
  14. How to correctly use Google Plus Sign In with multiple activities?
  15. How to specify the scope of Google API to get the birthday
  16. CORS issue with Google Oauth2 for server side webapps
  17. Google Calendar API v3 – authenticate with hardcoded credentials
  18. Sign in with Google temporarily disabled for this app
  19. How to use the Gmail API, OAuth2 for Apps Script, and Domain-Wide Delegation to set email signatures for users in a G Suite domain
  20. Google OAuth using domain wide delegation and service account
  21. How to use Google Login API with Cordova/Phonegap
  22. Can we access GMAIL API using Service Account?
  23. How to change Google consent screen email?
  24. Why is Google Calendar API (oauth2) responding with ‘Insufficient Permission’?
  25. Google Apps Marketplace SDK + Domain-wide OAuth 2 SSO
  26. How to bypass entering authentication code to authorize my code everytime I use the YouTube Data API v3
  27. Validate Google Id Token
  28. Google API OAuth2, Service Account, “error” : “invalid_grant”
  29. How do I save and retrieve information across invocations of my agent in Dialogflow?
  30. Access to fetch at https://accounts.google.com/o/oauth2/v2/auth has been blocked by CORS

Leave a Comment