Account linking with actions on google

Question

I am facing an issue regarding account linking in Actions on Google:

I am able to authenticate the user and access his email address and username however after this how can I redirect the user back to the google assistant and close the browser where he was authenticated?

Any help will be appreciated!

Update: Hey Prisoner thanks a lot for that. I did what you said and yeah now it does redirect to google.com but without result_code=SUCCESS when I test it in the simulator.

The link is:

https://www.google.co.in/?gws_rd=cr&dcr=0&ei=z77fWbjQGIXxvATs_oqwBA

Now if I type talk to... again it shows me the message you need to link your account!

In the device the browser automatically closes and it shows SIGNING_IN however when I type an intent it is not recognized.

It would be great if you could point me in the right direction! (I am not sure but I might be at the token exchange stage that you mentioned, but I don't have a clue how to proceed!)

Update 2: As requested the entire flow that I am following: This is the URL that I receive from debugInfo:

https://assistant.google.com/services/auth/handoffs/auth/start?account_name=cha***@gmail.com&provider=***_dev&scopes=email&return_url=https://www.google.com/

When I paste this in the browser the request that I receive at the authorization endpoint is:

ImmutableMultiDict([
  ('response_type', 'code'), 
  ('client_id', ****.apps.googleusercontent.com'), 
  ('redirect_uri', 'https://oauth-redirect.googleusercontent.com/r/****'), 
  ('scope', 'email'), 
  ('state', ' CtcCQUxWM2ROU3hNMjl4LUItVXhQSGd4THRMLU4yNExnb3lYbGRKQnQwa3NwTVFva19NUWpYNE5jNGJURzIyZFN3RDBXd2d4enFGVWJGb0Q0ZW1vaS1OaFdkaHdhb05HZ2xlWTR6SllKVlRWYktwd09faklyUTVheFhQbGw2dmVKYzVFTk05N3B1QkxaZG41RVdHN0wyTktvRFdCYzFPVFBzM1dQUlFtN2RmM1VtRU4****(state)')
])

The response (redirect_url) that I send back:

https://accounts.google.com/o/oauth2/v2/auth?scope=email&response_type=code&redirect_uri=https%3A%2F%2F******.herokuapp.com%2Fcallback%2Fgoogle&client_id=****.apps.googleusercontent.com

When it reaches my endpoint again the request arguments are:

ImmutableMultiDict([
  ('code', '4/***********')
])

Now I am able to access the email address and other details

The url that I redirect to from here:

https://oauth-redirect.googleusercontent.com/r/****?code=abcdefgh&state=CtcCQUxWM2ROU3hNMjl4LUItVXhQSGd4THRMLU4yNExnb3lYbGRKQnQwa3NwTVFva19NUWpYNE5jNGJURzIyZFN3RDBXd2d4enFGVWJGb0Q0ZW1vaS1OaFdkaHdhb05HZ2xlWTR6SllKVlRWYktwd09faklyUTVheFhQbGw2dmVKYzVFTk05N3B1QkxaZG41RVdHN0wyTktvRFdCYzFPVFBzM1dQUlFtN2RmM1VtRU4****(state)

This redirects me to :

https://www.google.co.in/?gws_rd=cr&dcr=0&ei=5c_fWdfKNYndvASO7o6ACA

Edit 3: I checked the network logs:

result_code=FAILURE&result_message=Account+linking+failed

I also added /token/google as the token URL in AoG. It is detected in heroku however I never receive this request in my code.

Note: I am using python flask and hosting my app on heroku

Answer 1

Once you have authenticated the user, you'll need to return a temporary auth code back to Google. Later, Google will exchange this auth code for an access token and a refresh token, but you're not there yet. The important part is that this code needs to be unique and that, later, you'll be able to recognize what user it is for. The code should be valid for a limited time - 10 minutes is a generally accepted time frame.

In the request Google sent to you as part of the login, they've provided a redirect_uri and a state as parameters. You'll need to use these in your reply. ( state can be anything - you shouldn't care what it is, you're just going to send it back with your redirect. Its purpose is to improve security by preventing replay attacks.)

Verify that the redirect_uri has the form

https://oauth-redirect.googleusercontent.com/r/YOUR_PROJECT_ID

Where YOUR_PROJECT_ID is... you guessed it, the ID of your project. You can find this in the cloud console.

You'll then redirect the user to this URL with a few additional parameters:

https://oauth-redirect.googleusercontent.com/r/YOUR_PROJECT_ID?code=AUTHORIZATION_CODE&state=STATE_STRING

Where YOUR_PROJECT_ID is as noted above, AUTHORIZATION_CODE is the code you've generated, and STATE_STRING is the value of the state parameter that you were sent in the request.

For details, you can see https://developers.google.com/actions/identity/oauth2-code-flow#handle_user_sign-in