实施帐户链接 - 查询
[英]Implementing Account Linking - queries
问题描述
I've asked a Google Dev Advocate for help as I'm struggling to implement Account Linking on my Google Actions app, he sent me a link to a documentation article I already had read and suggested I also consult Stackoverflow. 
我已经向Google Dev Advocate寻求帮助,因为我正在努力在我的Google Actions应用上实施帐户关联,他向我发送了一篇文档链接,该文章已经阅读并建议我也咨询Stackoverflow。 Having already done the second suggestion too and having struggled to find the exact answers to my questions, I've deiced to link to the doc article here, add all my queries and send this back to the Dev Advocate in the hope to get more clarification, especially as a reminder that Documentation could be read by complete newbies on the topic and that nothing should be given for granted. 我已经完成了第二个建议,并努力找到我的问题的确切答案,我已经在这里链接到doc文章,添加我的所有查询并将其发送回Dev Advocate,希望得到更多的澄清特别是提醒一下,关于该主题的完整新手可以阅读文档,并且不应该给予任何理由。
This is the article I am referring to https://developers.google.com/actions/identity/account-linking 这篇文章我指的是https://developers.google.com/actions/identity/account-linking
My queries below: 我的疑问如下:
- What is the difference between implicit and authorization code flow. 隐式代码流和授权代码流之间有什么区别。 In the article "Authorization code" is chosen, why? 在文章“授权代码”中选择,为什么?
- Although I have found on Stackoverflow where to get your Client ID and secret, don't you think it would be good to add a link in the article? 虽然我在Stackoverflow上找到了获取客户端ID和密码的地方,但您认为在文章中添加链接不是很好吗?
- Authorization URL - this is something instead I haven't found a clear guide for. 授权网址 - 这是我没有找到明确的指南。 Some Stackoverflow tickets report 2 Google OAUth URLs can be used (For the Authorization URL, enter https://accounts.google.com/o/oauth2/v2/auth For the Token URL, enter https://www.googleapis.com/oauth2/v4/token ), but a recent change to google policy suggests 一些Stackoverflow票据报告可以使用2个Google OAUth URL(对于授权URL,请输入https://accounts.google.com/o/oauth2/v2/auth。对于令牌URL,请输入https://www.googleapis.com / oauth2 / v4 / token ),但最近谷歌政策的一项变化表明
When implementing account linking using OAuth, you must own your OAuth endpoint
So I'm now extremely confused at what I should put in the Aiuthorization URL and Token URL - why isn't this documented in a more basic and clear way? 所以我现在对于应该放在Aiuthorization URL和Token URL中的内容非常困惑 - 为什么不以更基本和清晰的方式记录这些内容? I've also read it needs to be served over HTTPS, what if you're working on local and on a pet project which isn't commercial and you won't be able to pay for HTTPS? 我还读过它需要通过HTTPS提供服务,如果您正在本地和宠物项目上工作,这不是商业性的,您将无法支付HTTPS费用?
- What is Seamless Account Linking and why isn't this explained and documented? 什么是无缝帐户链接,为什么不解释和记录?
If your app supports seamless account linking
- Where should we whitelist this? 我们应该在哪里列入白名单?
Whitelist the following redirect URI: https://oauth-redirect.googleusercontent.com/r/
- What are your OAuth 2.0 client configuration details? 您的OAuth 2.0客户端配置详细信息是什么? Where can they be found? 他们在哪里可以找到?
In the expanded OAuth 2.0 form, fill out the fields with your OAuth 2.0 client configuration.
- I don't see the Discovery tab on my Oneplus 3T Google App, where else can I find it? 我没有在Oneplus 3T Google App上看到Discovery选项卡,我还能在哪里找到它?
Open the Google app and go to the Discover tab.
- This is where I get stuck - as many other people on Stackoverflow I get "The account is not linked yet" error. 这就是我被卡住的地方 - 就像Stackoverflow上的许多其他人我得到的“该帐户尚未链接”错误。 Maybe resolving the issues above will resolve the Account Linking error? 也许解决上述问题将解决帐户链接错误?
Invoke your app.
In addition to those questions, I also have the following: 除了这些问题,我还有以下内容:
- I would like to get access to the user calendar and user basic info so I've added profile, email and https://www.googleapis.com/auth/calendar could you confirm these are correct? 我想访问用户日历和用户基本信息,所以我添加了个人资料,电子邮件和https://www.googleapis.com/auth/calendar你能确认这些是正确的吗?
Thanks and please remember documentation should be for everyone! 谢谢,请记住文档应该适合每个人!
1 个解决方案
解决方案1
26 2017-11-08 18:47:37
Documentation is for all developers. 文档适用于所有开发人员。 However, keep in mind that some of the tasks might require you , as a developer, to learn more than you currently know. 但是,请记住,作为开发人员,某些任务可能要求您学习比目前更多的知识。 Coming to SO is one of the ways to do that, but there are many other avenues that supplement that. 来到SO是实现这一目标的方法之一,但还有许多其他途径可以补充这一点。
Good original documentation does, however, help. 然而,良好的原始文档确实有帮助。 Google's docs are currently just bad - they used to be terrible. 谷歌的文档目前还不错 - 它们曾经很糟糕。
Update - Before we begin, let me answer a question you suggest, but don't actually ask. 更新 - 在我们开始之前,让我回答您建议的问题,但实际上并没有问。
Why do I need an OAuth server at all?
First of all - you don't. 首先 - 你没有。
Think of your service like a website and the Assistant as a browser. 将您的服务视为网站,将智能视为浏览器。 For lots of websites, they don't need to know who the user is in order to use the website. 对于许多网站,他们不需要知道用户是谁以使用该网站。 There are lots of things the website can do without a user account at all. 没有用户帐户,网站可以做很多事情。
In some cases, it is useful to know that the user visiting your website has visited you before. 在某些情况下,了解访问您网站的用户之前访问过您是很有用的。 Frequently, you'll use a cookie to do track users like this. 通常,您将使用cookie来跟踪这样的用户。
The Assistant has an equivalent to this, although it is slightly different. 助手与此相当,虽然略有不同。 The Assistant sends an anonymous UserID with each message to you. 智能助理会向您发送匿名用户ID以及每条消息。 This UserID is only for this user and for your Action - it isn't re-used for any other Action or any other user. 此UserID仅适用于此用户和您的操作 - 它不会重复用于任何其他操作或任何其他用户。 So if you track it, you'll know when the user returns. 因此,如果您跟踪它,您将知道用户何时返回。 Like cookies, users can reset or clear it, but for the most part, this is durable. 像cookie一样,用户可以重置或清除它,但在大多数情况下,这是持久的。
But sometimes, you might need a person to log in to an account on your website. 但有时,您可能需要一个人登录您网站上的帐户。 This is what the OAuth server is meant to accomplish - give users a way to log into your Action. 这就是OAuth服务器要实现的目标 - 为用户提供登录Action的方法。 OAuth is a pretty standard way to let people log into services these days, although the intent is really to authorize a client to act on your behalf. OAuth是让人们最近登录服务的一种非常标准的方式,尽管其目的是授权客户代表您行事。
The latter is really what OAuth is doing in this case - your user is authorizing the Assistant to act on the user's behalf when talking to your Action. 后者实际上是OAuth在这种情况下正在做的事情 - 您的用户授权助理在与您的操作交谈时代表用户行事。
( Update - There are now ways to avoid having to setup an OAuth server at all in some circumstances. See the update at the bottom of this answer.) ( 更新 - 现在有办法避免在某些情况下完全设置OAuth服务器。请参阅本答复底部的更新。)
Now back to your questions 现在回到你的问题
But... let's go over your questions. 但是......让我们回答你的问题。
What is the difference between implicit and authorization code flow.
These are two terms that are more carefully defined by the OAuth2 standard, but in short - both of them let a client (a remote server from yours - the Assistant in this case) to get a user to give certain rights on your server. 这两个术语由OAuth2标准更加谨慎地定义,但简而言之 - 它们都让客户端(远程服务器 - 在这种情况下是助手)让用户在您的服务器上提供某些权限。
The Implicit flow is simpler, both in what you need to setup and what the two servers exchange, but assume that once you issue a token, it is indefinitely valid. Implicit流程更简单,包括您需要设置的内容和两个服务器交换的内容,但假设一旦您发出令牌,它就无限期有效。 This brings with it a slightly higher risk that someone can get this token and use it to impersonate the Assistant. 这带来了一个稍高的风险,有人可以获得此令牌并使用它来模拟助理。
The Auth Code flow is more complex (although not a lot) and addresses the risks in several ways. Auth Code流程更复杂(尽管不是很多),并以多种方式解决风险。 One way is that some transactions are done server-to-server instead of including the client, and that those transactions include a shared secret. 一种方法是某些事务是服务器到服务器完成的,而不是包括客户端,并且这些事务包括共享密钥。 Another way is that the auth token has a limited lifetime, and therefore a limited window of exposure, but that there is a refresh token which can be used to get a new auth token. 另一种方式是,身份验证令牌的生命周期有限,因此曝光窗口有限,但有一个刷新令牌可用于获取新的身份验证令牌。
In the article "Authorization code" is chosen, why?
Most likely because it is more secure for a minimal level of extra work. 最有可能的原因是它对于最低水平的额外工作更安全。 Most of the security issues it addresses, however, are most visible in more open environments such as browser and mobile - they're not as big a risk with the Assistant. 然而,它所解决的大多数安全问题在更加开放的环境中最为明显,例如浏览器和移动设备 - 它们在助手方面的风险并不大。 However, for places that need to setup an auth server, going with the more secure route has benefits in other areas. 但是,对于需要设置auth服务器的地方,使用更安全的路由在其他方面也有好处。
Most Google APIs use the Auth Code flow or variants of it. 大多数Google API使用Auth Code流程或其变体。 (Although most use it from the client side - not the server side. Which is what Account Linking for Actions requires.) (虽然大多数使用它来自客户端 - 而不是服务器端。这是行动的帐户链接所需要的。)
Although I have found on Stackoverflow where to get your Client ID and secret, don't you think it would be good to add a link in the article?
Well... except that SO answer is no longer valid. 嗯...除了SO答案不再有效。 (And, apparently, was never intended to be valid.) As you noted in your next question, Google has clarified their policy that requires you own the OAuth endpoints you use for an Action. (并且,显然,从来没有打算有效。)正如您在下一个问题中提到的那样,Google已经明确了他们的政策,要求您拥有用于操作的OAuth端点。 They have, furthermore, made technical changes that prevent you from using Google's endpoints. 此外,他们还进行了技术更改,阻止您使用Google的终端。 (And I've updated the answer to say so.) (我已经更新了答案,这样说。)
While the "Configure cloud project" part is correct, and describes how you setup credentials to be used with the Calendar API, you cannot use Google's OAuth endpoints to do the auth for your own project. 虽然“配置云项目”部分是正确的,并且描述了如何设置要与Calendar API一起使用的凭据,但您无法使用Google的OAuth端点为您自己的项目执行身份验证。
So I'm now extremely confused at what I should put in the Authorization URL and Token URL - why isn't this documented in a more basic and clear way?
Because this is a point where they're making an assumption that isn't very clear in the documentation. 因为这是他们在文档中做出不太清楚的假设的一点。 It is suggested where they say " Step 1. Configure your server " that you have an OAuth server. 建议您在“ 步骤1.配置服务器 ”中说明您拥有OAuth服务器。 If you have an OAuth server already, then you should know what your server's Authorization and Token URLs are. 如果您已经有OAuth服务器,那么您应该知道服务器的授权和令牌URL是什么。
If you don't, however, this does get further explained where they talk about determining what the endpoints will be for an OAuth service you're creating . 但是,如果不这样做,则可以进一步说明确定 您正在创建的OAuth服务的端点的位置 。
I've also read it needs to be served over HTTPS, what if you're working on local and on a pet project which isn't commercial and you won't be able to pay for HTTPS?
Yes, it has to be HTTPS. 是的,它必须是HTTPS。 This is a requirement of OAuth, and good practice when you're sending tokens that can be used to do things authorized by a user. 这是OAuth的要求,也是您发送可用于执行用户授权的令牌的良好做法。 It sounds like you want to be able to issue API calls to a Google server, and if those tokens got out (or tokens that could be used to access the same resources), then your Google Account could be compromised. 听起来您希望能够向Google服务器发出API调用,如果这些令牌已经退出(或者可能用于访问相同资源的令牌),那么您的Google帐户可能会遭到入侵。
You have a lot of options here for your local or pet project development. 您可以在这里为本地或宠物项目开发提供很多选择。 Just to list a few: 仅举几个:
You can use Firebase Functions.
您可以使用Firebase功能。 For projects on a "pet" level, they're free. 对于“宠物”级别的项目,他们是免费的。 (And if your Action gets a little popular, Google Assistant will give you credits that should pay for a modest level of use.) (如果你的行动有点受欢迎,Google智能助理会为你提供应该支付适度使用费用的积分。) You can get SSL certificates for your server for free using Let's Encrypt .
您可以使用Let's Encrypt免费获取服务器的SSL证书。 Since your server has to have a public address, you can create a tunnel using ngrok , which also provides a public HTTPS address you can use.
由于您的服务器必须具有公共地址,因此您可以使用ngrok创建隧道,该隧道还提供您可以使用的公共HTTPS地址。 This probably isn't good once your project gets out of the "personal testing" stage, but is a good tool to start with. 一旦您的项目退出“个人测试”阶段,这可能并不好,但这是一个很好的工具。
There are other approaches, of course, but these are a few good tools that you can use depending on your needs. 当然还有其他方法,但这些是您可以根据需要使用的一些好工具。
What is Seamless Account Linking and why isn't this explained and documented?
It is. 它是。 Except in the documentation they confuse things by also calling it "Streamlined Identity Flow". 除了文档之外,他们还将其称为“简化身份流”。
On the Account Linking Overview page it says "For more information, see Streamlined Identity Flows about how to configure your OAuth server to support the seamless identity experiences on the Google Assistant." 在“ 帐户关联概述”页面上,它显示“有关详细信息,请参阅简化的标识流,了解如何配置OAuth服务器以支持Google智能助理上的无缝身份体验。”
This takes you to a page talking about how this flow builds on top of the other two identity flows and has some additional requirements, but should make the user's experience better. 这将带您进入一个页面,讨论此流如何构建在其他两个身份流之上,并有一些额外的要求,但应该让用户的体验更好。
However... don't worry so much about this. 但是......不要太担心这个。 If you're just doing this for fun, the normal identity flows aren't that much of a burden. 如果你只是为了好玩而这样做,那么正常的身份流并不是那么大的负担。 If you're doing this for a commercial product - get the normal flows working first. 如果您正在为商业产品执行此操作 - 首先使正常流程正常工作。
Where should we whitelist this?
This is one of the underlying concepts of OAuth - as part of the communication between the client server and your server, it will say to redirect to a particular URL when you're done authenticating the user and getting their permission to issue a token. 这是OAuth的基本概念之一 - 作为客户端服务器与服务器之间通信的一部分,当您完成对用户的身份验证并获得发布令牌的权限时,它会说重定向到特定的URL。
The OAuth spec requires you to compare that redirect URL to a URL that has already been setup for that client. OAuth规范要求您将该重定向URL与已为该客户端设置的URL进行比较。 It does not specify how you set that up. 它没有指定你如何设置它。 So Google is saying "When you setup the OAuth server for our client - here is the URL that we will ask you to redirect to." 所以谷歌说“当你为我们的客户设置OAuth服务器时 - 这是我们要求你重定向到的URL。”
Google can't answer where to whitelist this except "in your OAuth server". 除了“在您的OAuth服务器中”之外,Google无法回答将此列入白名单的位置。 Most OAuth servers have a way to configure multiple clients, and this is one of the values you'll set for that client. 大多数OAuth服务器都有一种配置多个客户端的方法,这是您为该客户端设置的值之一。 (The ClientID and ClientSecret are other values, but Google lets you determine these values and tell it as part of the configuration for Account Linking in the Action Console. Which is your next question.) (ClientID和ClientSecret是其他值,但Google允许您确定这些值并将其作为操作控制台中帐户链接配置的一部分。这是您的下一个问题。)
What are your OAuth 2.0 client configuration details?
Again, this depends on your OAuth server and your requirements for what you want to prompt the user when they try to login to your server. 同样,这取决于您的 OAuth 服务器和您想要当他们尝试登录到你的服务器,以提示用户有什么需求上。 The ClientID and ClientSecret are two such parameters. ClientID和ClientSecret是两个这样的参数。 The OAuth scopes that the Assistant should request access to are other parameters. “助理”应请求访问的OAuth范围是其他参数。 But these are up to you - because it is your server they are trying to get access to. 但这取决于您 - 因为它是您尝试访问的服务器。
I don't see the Discovery tab on my Oneplus 3T Google App, where else can I find it?
That documentation looks incorrect. 该文档看起来不正确。 I think that should say that you should open the Google Home app on your mobile device. 我认为应该说您应该在移动设备上打开Google Home应用。
It is also possible that it does mean the Google app, in which case your phone may not support the Google Assistant as part of the Google app. 它也可能意味着谷歌应用程序,在这种情况下,您的手机可能不支持Google智能助理作为谷歌应用程序的一部分。 You can download the Google Assistant separately , if necessary. 如有必要,您可以单独下载Google智能助理 。
However - use the simulator to test initially. 但是 - 最初使用模拟器进行测试。 Although it requires a few manual steps, they are easy to follow and help you trace things. 虽然它需要一些手动步骤,但它们易于遵循并帮助您跟踪事物。
This is where I get stuck - as many other people on Stackoverflow I get "The account is not linked yet" error.
Well, your account isn't linked yet. 好吧,您的帐户尚未关联。 {: {:
It sounds like you haven't set an auth server for your Action. 听起来你还没有为你的Action设置一个auth服务器。 Until you get an auth server working, the rest isn't going to work. 在你让auth服务器工作之前,其余部分都不会起作用。
I would like to get access to the user calendar and user basic info so I've added profile, email and https://www.googleapis.com/auth/calendar could you confirm these are correct?
First of all, keep in mind that this whole process is to link the user's Assistant account to their account on your service. 首先,请记住,整个过程是将用户的智能助理帐户与您服务上的帐户相关联。 You may have information in their account (on your service) that you use to do things - such as access Google resources or access other things that you know about them. 您可能在其帐户(在您的服务中)中拥有用于执行操作的信息,例如访问Google资源或访问您了解的有关它们的其他信息。
This is not directly a way that you gain access to the Google account that they're using to talk to the Assistant. 这并非直接导致您访问他们用于与智能助理对话的Google帐户。
In order to get a user's permission to access their resources on Google's servers, you'll need to get them to authorize your server permission to access that. 要获得用户在Google服务器上访问其资源的权限,您需要让他们授权您的服务器访问该服务器 。 That is done using OAuth, again, but this time you're the client . 这是使用OAuth再次完成的,但这次你是客户端 。 User's will need to go to your server, you'll redirect them to Google's server to authorize you, and they'll be redirected back to your server with codes that you will need to store. 用户需要转到您的服务器,您将其重定向到Google的服务器以授权您,并且他们将被重定向回您的服务器,其中包含您需要存储的代码。 This is all done outside of the Assistant and it's Account Linking system. 这一切都在智能助理及其账户链接系统之外完成。
That said, for what you want, profile and email are fairly normal scopes to request. 也就是说,根据您的需要, profile和email是相当正常的请求范围。 The Calendar API Documentation confirms that the https://www.googleapis.com/auth/calendar scope is what you need to access that API. Calendar API文档确认https://www.googleapis.com/auth/calendar范围是您访问该API所需的范围。 (Keep in mind that this URL is not one that you'd use in a browser or that you'd go to to access anything - it is a uniquely identifying name only.) (请记住,此URL不是您在浏览器中使用的URL,或者您要访问任何内容的URL - 它只是唯一标识的名称。)
Update to reflect API Changes. 更新以反映API更改。 Since this answer was originally written, Google has introduced Google Sign In for Assistant , which lets you avoid having to setup your own OAuth server when you are willing to tie operations to the same Google account they use on the Assistant. 由于此答案最初是针对性的,因此Google推出了Google Sign In for Assistant ,当您愿意将操作绑定到他们在智能助理上使用的相同Google帐户时,您可以避免设置自己的OAuth服务器。 If the user permits, you can get simple user profile information this way, and you can then leverage this to get access to other APIs (again, with the user's permission). 如果用户允许,您可以通过这种方式获取简单的用户配置文件信息,然后您可以利用它来访问其他API(再次,在用户的许可下)。 See this SO answer that discusses how to use this to access Google's other APIs. 请参阅此SO答案 ,讨论如何使用它来访问Google的其他API。
Thanks and please remember documentation should be for everyone!
From my conversation with Google's Assistant team, they are looking to make documentation easier, and hopefully they will take many of your suggestions to heart. 从我与谷歌的助理团队谈话,他们正在寻找使文件更容易,希望他们会采取很多您的建议对心脏。 I hope these clarifications have helped you (and anyone else who gets here with similar problems.) 我希望这些澄清能帮助你(以及其他遇到类似问题的人)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.