Google 隐式帐户链接上的操作在模拟器/浏览器中有效，但在设备上无效（通过 Google Home 应用）

Question

I've implemented the implicit flow for Actions on Google account linking, and am using Dialogflow (previously API.AI) to define intents.

The full flow works in the device simulator (from AOG). The first intent gets a "It looks like your account isn't linked yet..." response, and the debug pane includes a URL to initiate linking:

https://assistant.google.com/services/auth/handoffs/auth/start?account_name=[account]@gmail.com&provider=[project_id]_dev&scopes=email&return_url=https://www.google.com/

If I follow this URI in a cache-less window:

1. I'm redirected to my app's authentication page
2. I choose to sign in with my Google account (same as [account] above)
3. I'm redirected to google.com with a success message in the URI bar
4. The simulator now accepts actions via my app and responds correctly

However, if I follow the same flow using a physical Google Home & the gH app for Android.

1. Device tells me account not yet linked
2. Open Google home and follow 'Link to [my app]' link
3. Browser opens to authentication page
4. Sign in as user
5. Redirected to a white page with a single link "Return to app", which has an href: about:invalid@zClosurez

Linking was unsuccessful, so additional attempts to run intents on the Google Home get the same "Account not yet linked" response.

I've inspected the intermediate access_token and state variables at length, and they all match and look to be correctly formatted:

Authentication URL (app sign in page): https://flowdash.co/auth/google?response_type=token&client_id=[client_id]&redirect_uri=https://oauth-redirect.googleusercontent.com/r/[project_id]&scope=email&state=[state]

After authenticating, redirected to (this is the white screen with 'return to app' broken link): https://oauth-redirect.googleusercontent.com/r/genzai-app#access_token=[token]&token_type=bearer&state=[state]

So, it seems there's something non-parallel about the way the simulator and physical devices work in terms of implicit flow account linking.

I've been struggling with this, and with the AOG support team for a very long time to no avail. Anyone else see a similar issue?

Updated with response redirect code:

Login handled by react-google-login component with profile & email scopes. On success we call:

finish_auth(id_token) {
    let provider = {
            uri: '/api/auth/google_auth',
            params: ['client_id', 'redirect_uri', 'state', 'response_type'],
            name: "Google Assistant"
        }
    if (provider) {
        let data = {};
        provider.params.forEach((p) => {
            data[p] = this.props.location.query[p];
        });
        if (id_token) data.id_token = id_token;
        api.post(provider.uri, data, (res) => {
            if (res.redirect) window.location = res.redirect;
            else if (res.error) toastr.error(res.error);
        });
    } else {
        toastr.error("Provider not found");
    }
}

provider.uri hits this API endpoint:

def google_auth(self):
    client_id = self.request.get('client_id')
    redirect_uri = self.request.get('redirect_uri')
    state = self.request.get('state')
    id_token = self.request.get('id_token')
    redir_url = user = None
    if client_id == DF_CLIENT_ID:
        # Part of Google Home / API.AI auth flow
        if redirect_uri == "https://oauth-redirect.googleusercontent.com/r/%s" % secrets.GOOGLE_PROJECT_ID:
            if not user:
                ok, _email, name = self.validate_google_id_token(id_token)
                if ok:
                    user = User.GetByEmail(_email, create_if_missing=True, name=name)
            if user:
                access_token = user.aes_access_token(client_id=DF_CLIENT_ID)
                redir_url = 'https://oauth-redirect.googleusercontent.com/r/%s#' % secrets.GOOGLE_PROJECT_ID
                redir_url += urllib.urlencode({
                    'access_token': access_token,
                    'token_type': 'bearer',
                    'state': state
                })
                self.success = True
        else:
            self.message = "Malformed"
    else:
        self.message = "Malformed"
    self.set_response({'redirect': redir_url}, debug=True)

Answer 1

I am able to make it work after a long time. We have to enable the webhook first and we can see how to enable the webhook in the dialog flow fulfillment docs If we are going to use Google Assistant, then we have to enable the Google Assistant Integration in the integrations first. Then follow the steps mentioned below for the Account Linking in actions on google:-

Go to google cloud console -> APIsand Services -> Credentials -> OAuth 2.0 client IDs -> Web client -> Note the client ID, client secret from there -> Download JSON - from json note down the project id, auth_uri, token_uri -> Authorised Redirect URIs -> White list our app's URL -> in this URL fixed part is https://oauth-redirect.googleusercontent.com/r/ and append the project id in the URL -> Save the changes

Actions on Google -> Account linking setup 1. Grant type = Authorisation code 2. Client info 1. Fill up client id,client secrtet, auth_uri, token_uri 2. Enter the auth uri as https://www.googleapis.com/auth and token_uri as https://www.googleapis.com/token 3. Save and run 4. It will show an error while running on the google assistant, but dont worry 5. Come back to the account linking section in the assistant settings and enter auth_uri as https://accounts.google.com/o/oauth2/auth and token_uri as https://accounts.google.com/o/oauth2/token 6. Put the scopes as https://www.googleapis.com/auth/userinfo.profile and https://www.googleapis.com/auth/userinfo.email and weare good to go. 7. Save the changes.

In the hosting server(heroku)logs, we can see the access token value and through access token, we can get the details regarding the email address.

Append the access token to this link " https://www.googleapis.com/oauth2/v1/userinfo?access_token= " and we can get the required details in the resulting json page.

`accessToken = req.get("originalRequest").get("data").get("user").get("accessToken")
r = requests.get(link)
print("Email Id= " + r.json()["email"])
print("Name= " + r.json()["name"])`

Answer 2

Not sure which python middleware or modules you are using but

self.set_response({'redirect': redir_url}, debug=True)

seems to be setting parameters for a returning a response which isn't correct. Instead you should redirect your response to the redirect_url. For example importing the redirect module in Flask or Django like: from flask import redirect or from django.shortcuts import redirect then redirect like:

return redirect(redirect_url)

Answer 3

It appears Google has made a change that has partially solved this problem in that it is now possible to complete the implicit account linking flow outside of the simulator, in the way outlined in my question.

It seems the problem stemmed from an odd handling (on the AOG side) of the client-side redirect case used after sign in with the Google sign-in button.

From Jeff Craig in this thread :

The current workaround, where we provide the "Return to app" link currently what we're able to provide. The issue is with the way that redirecting to custom-scheme URIs is handled in Chrome, specifically, with regard to the redirect happening in the context of a user action.

XHR will break that context, so what is happening is that you click the Google Sign-In Button, which triggers an XHR to Google's servers, and then you (most likely) do a client-side redirect back to the redirect_url we supply, our handler executes, and isn't able to do a JS redirect to the custom scheme URI of the app, because were outside of the context of a direct user click.

This is more of a problem with the Implicit (response_type=token) flow than with the authorization code (response_type=code) flow, and the "Return to app" link is the best fallback case we currently have, though we are always looking for better solutions here as well.

The current behavior shows the 'Return to app' link, but as of last week, this link's href is no longer about:invalid@zClosurez , but instead successfully completes the sign-in and linking process. It's an odd and confusing UX that I hope Google will improve in the future, but it was sufficient to get my app approved by the AOG team without any changes to my flow.