Account linking Google Assistant - oauth-2.0

I actually looking for an answer for my problem of account linking on Google Assistant.
Sorry, the screens are in french but I can translate all if it's necessary to understand.
I followed the google account linking documentation until "implement your Oauth server"
https://developers.google.com/assistant/identity/oauth2?oauth=implicit
First:
On google Action, this is my configuration of account linking:
Next I'm trying to auth me on my application :
I have to sign in on Google Home APP.
I said, "talk to my test app:"
And google redirect me on my API with the authorization page.
I provide my password and my email.
The auth works on my API, but unfortunately an error is display on google assistant after the redirection ...
The error message in English is : "Sorry, an error occured. I didn't succeed to sign-up. You can try again later."
I don't understand why I got this Error ...
The URL GET authorize is :
http://f8f73376.ngrok.io/api/auth/authorize?redirect_uri=https%3A%2F%2Foauth-redirect.googleusercontent.com%2Fr%2Farlex-ccevqe&client_id=*clientid*&response_type=code&state=AB8b_TOd3At3ADLyuTi9k02War1fEmzT8vBeXxgHidVA5zTHVmVmE536Sjw60EAK_rUfb4Ie84Ly2l6E5AfW-F_Eo3hipueQzGbnEfpGlUHdhIeTQyfJYCk2I5-yT_n6vceOYeVlYfXF-frpVoiSCH9K2ns-7rbbgq3wEX2Px0DX3QH5ijgSsT7lvr0vOHECCCzTav9ldYf4G-EcruSModayIhIYBMKjKUQJqddBjJZ5JyCEE0cOJNvOeI13T35WoJ8_0HYoX2BXRYKGUJLiEOHX_cNlLWmcL1Y5wzDze6wa-qTM7Hvg7cutqO_u9pnhNWeMDkMgQljpSfUzyP7Ry1iWziE64nMtDmhxA48Qbufm-bRjpTRTCOBQN-_gLmx1aT2bBGTouSyg6cNY8E33HCzsp7H8qRfKYTdZ_Ga0IJcOam9MjNp2XFfgrw0uV7TTLig2LmYyJG_d-6urRGBY-xcwRxWkp7vCUtWvY6CXEZsF42rTjXYk-kr8xraS-2tNvgavhLASGvVVVgIg0AVSNZLdw9qvQMM-4NRFwsrAkZWz08kO493_lvA&user_locale=fr-FR
And the URL I sent for the redirection is:
https://oauth-redirect.googleusercontent.com/r/arlex-ccevqe#access_token=65cc814038a84114b8922b47eebc45cb&token_type=bearer&state=AB8b_TOd3At3ADLyuTi9k02War1fEmzT8vBeXxgHidVA5zTHVmVmE536Sjw60EAK_rUfb4Ie84Ly2l6E5AfW-F_Eo3hipueQzGbnEfpGlUHdhIeTQyfJYCk2I5-yT_n6vceOYeVlYfXF-frpVoiSCH9K2ns-7rbbgq3wEX2Px0DX3QH5ijgSsT7lvr0vOHECCCzTav9ldYf4G-EcruSModayIhIYBMKjKUQJqddBjJZ5JyCEE0cOJNvOeI13T35WoJ8_0HYoX2BXRYKGUJLiEOHX_cNlLWmcL1Y5wzDze6wa-qTM7Hvg7cutqO_u9pnhNWeMDkMgQljpSfUzyP7Ry1iWziE64nMtDmhxA48Qbufm-bRjpTRTCOBQN-_gLmx1aT2bBGTouSyg6cNY8E33HCzsp7H8qRfKYTdZ_Ga0IJcOam9MjNp2XFfgrw0uV7TTLig2LmYyJG_d-6urRGBY-xcwRxWkp7vCUtWvY6CXEZsF42rTjXYk-kr8xraS-2tNvgavhLASGvVVVgIg0AVSNZLdw9qvQMM-4NRFwsrAkZWz08kO493_lvA

There are two possible OAuth2 flows that you can use: Implicit (or "token") and Authorization Code (or "code"). While they are similar, there are some significant differences between the two in values of some of the parameters, how those parameters are sent back, and what else you need to support for each flow.
Although the URL you provided indicated you were following the "Implicit" flow, your screen shot shows you set Actions on Google to expect the Authorization Code flow. Additionally, Google is sending you a URL with response_type=code, and you are responding using a redirect that includes a hash and an access_token parameter, which are expected with the Implicit flow.
It looks like you have most things already setup to use the Implicit Flow, so the easiest solution would be to change this configuration in the Actions on Google Console. If you need the features that the Authorization Code Flow provide (most notably, limited lifetime for tokens), then you should adjust your server accordingly.

Related

Generating Credentials Auth Error - redirect_uri

I'm receiving an Authorization error when attempting to generate an authorization code:
Error 400: invalid_request
You can't sign in to this app because it doesn't comply with Google's
OAuth 2.0 policy for keeping apps secure.
If you’re the app developer, make sure that these request details
comply with Google policies. redirect_uri: urn:ietf:wg:oauth:2.0:oob
I've used this Google tutorial to replicate and confirm the issue:
https://developers.google.com/assistant/sdk/guides/service/python/embed/install-sample?hl=en_US
It is generating this URL:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=[HIDDEN]&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fassistant-sdk-prototype&state=[HIDDEN]&prompt=consent&access_type=offline
Here is a workaround provided by jdtoth on Github: https://github.com/greghesp/assistant-relay/issues/266#issuecomment-1065940698
Thanks jdtoth!
I found a workaround for creating a new user. In my case, I needed to
create a specific type of API credential. Here is what I did:
Create a new OAuth Client credential using the link below, ensuring
the application type is "Web application" and set Authorized Redirect
URIs to "http://localhost"
https://console.cloud.google.com/apis/credentials
Download the key, and create the user in the Assistant Relay appas you
tried before. When it opens a new browser window to authorize the
google account, you might need to bypass a warning. After you do this,
a blank browser window will open but the address bar will contain the
auth code you need. Grab the code from the relevant part of the URL
here and paste it back into the Assistant Relay app:
http://localhost/?code=COPYCODEFROMHERE&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fassistant-sdk-prototype
Let me know if this works. I am successfully sending commands to the
Assistant Relay server but nothing is playing on my speakers.

ss_domain parameter in context of OAUTH or OpenID?

I'm trying to learn about OAUTH and OpenID Connect.
Thus I am investigating my own traffic, listening to Authorization Requests and Grants by checking for required parameters in OAUTH as described in https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 and https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 for the Authorization Code Flow as well as described in section 4.2.1 and 4.2.2 for the Implicit Flow.
Unfortunately, by using the SSO option for Google on joinhoney.com, I am only able to catch the Request, but not the Authorization Grant.
So, while debugging and having a look at the actual request, I can see the following parameters in the query part of the url:
Parameter
Value
redirect_uri
storagerelay://https/www.joinhoney.com?id=auth[censoredID]
response_type
permission id_token
scope
email profile openid
openid.realm
client_id
705229005811-2fdpup66d8aefq4qs2ru1n8qiosuq4fb.apps.googleusercontent.com
ss_domain
https://www.joinhoney.com
fetch_basic_profile
true
gsiwebsdk
2
Now, to get to the actual question:
Where can I find some specified information about the ss_domain parameter?
I could not find any information in https://www.rfc-editor.org/rfc/rfc6749 as well as on https://openid.net/, however when using google, I can find some people using the ss_domain parameter (only without further explanation), so I doubt it is something only used by joinhoney.com.
Would be happy if somebody could bring some light in here!
Thank you!
If you are at www.example.com, and you your redirect_uri is to a different domain e.g. subdomain.example.com, you need to set ss_domain to https://subdomain.example.com.
This custom ss_domain change, however, is not possible using the Google login client side sdk. You got to push the url manually.

Onedrive/Azure API Code Flow for authentication sends me to my redirect url, but does not give me a code attached to the url

https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/graph-oauth?view=odsp-graph-online#step-1-get-an-authorization-code
I have followed this step to a tee, login with success, get redirected, and there is no code with the redirect url as the tutorial promises.
The following link is my version with the credentials.
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=a383dd3b-8306-4902-93d3-f5a33fe4a445&scope=Files.Read&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
I get taken to this page and sign into an account under the same namespace. Login view
After signing into a proper login, all I get in return is redirected to my redirect URI with no code attached to the end like the tutorial says I should. All I need is access to 3 files on my onedrive, but I can't seem to make it past OAuth2. Here is what I get redirected to. https://login.microsoftonline.com/common/oauth2/nativeclient
From first look it seems that the redirect_uri is wrong. This should be the endpoint where you receive the authorization code and then exchange it for the rest of the OAuth process.
I work with Pathfix and we solve the problem of OAuth token management using a serverless infrastructure.
To summarize, here is what your url should look like
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=a383dd3b-8306-4902-93d3-f5a33fe4a445&
scope=https://graph.microsoft.com/Files.ReadWrite.All%20offline_access&
response_type=code&
redirect_uri=https://your endpoint
An additional note on the scope. Note above that the scope definition for token should be as I have specified above
It all works the same. I just made sure my app was open to all tenants and replaced the .com with .us in all links but the redirect uri. Hopefully, this helps someone else. For example, my data is on a sharepoint, but the microsoft graph api works the same for all accounts with a difference in .us, .com, and few others.

Discord API - random "invalid code" error passing back generated OAuth2 code

I've successfully implemented Discord's OAuth2 flow using the authorization code grant type into my application. The end user navigates to Discord's OAuth2 link for my bot, authorizes its access, and Discord redirects them back to my site with a code querystring. The bot then exchanges this code for an access token by querying Discord's API. Documentation on this process is available here for reference.
However, roughly every 50-100 requests to the exchange endpoint, I receive a 403 with the error invalid_grant and the description Invalid "code" in request. Frankly, I don't understand how the code just provided by Discord's system is instantly invalid. The same user can complete the process again and no error is returned the second time.
Out of desperation, I tried toggling on the option in the Developers Dashboard named Requires OAuth2 Code Grant seeing that it said "if your application requires multiple scopes," but it made no effect. I've also tried endless debugging, but the circumstances under each occurrence are apparently random. Oddly enough, I can't find anyone with the same issue online.
Below is the request I'm making in Node.js using the superagent library. It matches the documentation and works perfectly, other than the response randomly being the error described.
superagent.post('https://discordapp.com/api/v6/oauth2/token')
.type('x-www-form-urlencoded')
.set('Content-Type', 'application/x-www-form-urlencoded')
.send({
client_id: process.env.BOT_ID,
client_secret: process.env.BOT_SECRET,
grant_type: 'authorization_code',
code,
redirect_uri: process.env.OAUTH2_REDIRECT_URI,
scope: 'identify guilds.join',
});
I can confirm that all variables match their expected values. The value of redirect_uri matches that of redirect_uri in the original URL used. code is the value of the code querystring returned through the OAuth2 flow.
What (if anything) am I doing wrong that's causing the error?
Update 1:
Discord has directed me to the API GitHub repo, and I found the issue closed here. Commented and will update here if I receive any helpful info or resolve the issue completely (hopefully the case).
Ran into the same issue using nodejs. Leaving here notes for prosperity:
On Node, if there is no explicit app.head() handler, the .post() handler receives all head requests
Several Android phones, upon being redirected from discord, first send a head request to the endpoint
Meaning:
The user authenticates on discord, then through the redirect back, does a head request. This pulls discord with the code, BUT directly afterwards it also does a post request, which will fail (as you already used the code once), and possibly un-authenticates the user.
Solution for my specific issue was an explicit .head handler for all callback endpoints, which basically just returned the same headers (a redirect) as the post one did, but without calling discord.
Hope this helps.
did you use the OAuth2 link to invite your bot to your server - with the correct permissions? If so, in your main.js file did you define the token?
I.e. bot.login(“YOUR_TOKEN_HERE”)
I would recommend not toggling the ‘Requires OAuth2 Code Grant’ as it is a pain to do anything with in the beginning.
Please let me know of any progress :)

Cortana - OAuth2 Redirect URL Configuration not changing

I'm currently implementing an OAuth2 authentication using Microsoft Bot Framework and Cortana as one of my channels. However, as I was setting up my OAuth2 configuration with the following details in where I properly set the Redirect URL both from Knowledge Store and apps.dev.microsoft.com
Knowledge Store:
apps.dev.microsoft.com:
Whenever I authenticate to Cortana based from the OAuth2 that I've configured, the redirect URI seems to be always set as https://www.bing.com/agents/oauth. Here's a screenshot of the http request from Cortana Authentication that I got from fiddler:
Which causes this error message:
Any idea how to fix this?
Don't forget that the bot channel (in this case Cortana) needs to be where the redirect points to. Cortana's redirect is https://www.bing.com/agents/oauth.
Documentation here. You can test OAuth via botframework and the emulator. In that case, the redirect is https://token.botframework.com/.auth/web/redirect. Documentation here. If you look at the diagram in the spec on page 10, you'll see that Cortana is the client. The auth call needs to come back to her. You also need to let the auth server know that the redirect URL is allowed. For Microsoft login, you go to the app dev portal, select your app, go add a "web platform" and register the redirect urls. That should solve the problem on both ends.

Resources