"Accounts failed to link" error happens when I try to authorize Google Assistant at my Web service
Asked Answered
G

1

2

First, I'd like to mention that problems like this had been discussed before in the topics like: How to authenticate user with just a Google account on Actions on Google?

But I could not find any information at all related to ways of linking Google Assistant app with my own web server.

Problem:

GET https://oauth-redirect.googleusercontent.com/r/my-google-assistant-app#access_token=ACCESS_TOKEN&token_type=bearer&state=STATE always returns "Account field to link" error description

A Way to Reproduce:

  1. I created a new project in Actions on Google Console
  2. I built an application using Dialogflow
  3. I created a Heroku Web Server as my webhook (ex: webhook.herokuapp.com)

So everything worked just fine. I've successfully connected my Google Assistant app with my webhook.

But then I decided to send requests to my another one Heroku Web Server (ex: webserver.herokuapp.com) which needs a user to be logged in. So I decided to implement account linking of my Google Assistant app with webserver.herokuapp.com

  1. I implemented Google-OAuth2 authorization at webserver.herokuapp.com. Also I want to mention that I used Client ID and Client Secret of my Google Assistant App

So, Google Authorization worked perfectly at my webserver.herokuapp.com

  1. Then I enabled account linking settings for my Google Assistant app with Implicit Flowenter image description here

So, that's it!

Epilogue

I open Google Assistant, tell it "Talk to my test app", then it greets me and offers me to link accounts. I say "yes". Then I see how Google Assistant requests my login URL at webserver.herokuapp.com. Then I enter my Google email and password. As a result I logged in at my webserver! Then my webserver makes a redirection to:

https://oauth-redirect.googleusercontent.com/r/my-google-assistant-app#access_token=ACCESS_TOKEN&token_type=bearer&state=STATE

And I get the error I've described at the top of my post.

Any help would be appreciated


UPDATE with parameter information

These are my constants:
Google Assistant Project_ID = nodejs-sdk-local-test
Google Assistant Client_ID = 1067979601708-ldr3ga115es3fdo823slfnj46gjoes66.apps.googleusercontent.com
state = manually_set_state_value

The flow is I open my Google Assistant and say "Ok Google, talk to my test app", it answers my request and then I say something like "do some action which need authorization". Google Assistant app offers me to link an account and I say "Yes".

  • This is where Google Assistant app makes a call to my https://webserver.herokuapp.com/google-oauth2 endpoint. A purpose of this endpoint is to redirect me to the Google Login Page.

  • Now I'm being redirected to the Google Login Page (everything seems to be correct. client_id and state parameters are similar to the constants). This is the example of an URL where I am being redirected to: https://accounts.google.com/o/oauth2/auth?client_id=1067979601708-ldr3ga115es3fdo823slfnj46gjoes66.apps.googleusercontent.com&redirect_uri=http://webserver.herokuapp.com/complete/google-oauth2/&state=manually_set_state_value&response_type=code&scope=openid+email+profile

  • At the Google Login Page I enter my credentials and then I'm being redirected to the redirect_uri=http://webserver.herokuapp.com/complete/google-oauth2 endpoint. A purpose of this endpoint is to register or login me at webserver.herokuapp.com and then redirect me to another Google URL. An example of the Google URL: https://oauth-redirect.googleusercontent.com/r/nodejs-sdk-local-test#access_token=<token_omitted>&token_type=bearer&state=manually_set_state_value

  • So it seems that everything is correct. I logged in to my webserver.herokuapp.com, got an access token. Also project_id and state parameter in the last Google URL are similar to constants. Anyway, this Google URL returns me an error "Accounts failed to link"!

Gerger answered 26/1, 2018 at 12:40 Comment(2)
For starters - never post an access token, since (as its name suggests) it provides access to your resources. Second - I'm confused about the redirect flow. You originally said that the user is redirected to webserver.herokuapp.com and then you redirect to the login page, but that isn't clear from your update, you just skipped to the (Google) login page. Can you update the question to clarify this?Hide
@Hide I updated my answer. I hope now it's more clear! So as you can see everything should be working but it's not :( By the way I did not post an access token. Google did. When I'm being redirected to the 'last' Google URL https://oauth-redirect.googleusercontent.com/r/blah-blah-blah something happens at the Google side and then it makes POST https://assistant.google.com/services/auth/handoffs/auth/complete with parameters: access_token, token_type and state. And this always returns "Accounts failed to link" errorGerger
H
2

The most common cause of this is that you're not passing back the same value for state that was sent to you when Google redirected to your site. Make sure this is the same value and, for your security, make sure you validate the other parameters that are sent to you as well.

When the user is redirected to https://webserver.herokuapp.com/google-oauth2, there should be some parameters sent as part of the query. Those parameters include a state parameter. It should look something like this:

https://myservice.example.com/auth?client_id=GOOGLE_CLIENT_ID&redirect_uri=REDIRECT_URI&state=STATE_STRING&response_type=token

Note that while the client_id and redirect_uri are values that you should expect and test for, the state value is not one that you would have set. Google generates a different one every time. This is the state that you should be using later when you redirect to

https://oauth-redirect.googleusercontent.com/r/nodejs-sdk-local-test#access_token=<token_omitted>&token_type=bearer&state=STATE_STRING
Hide answered 26/1, 2018 at 13:0 Comment(4)
Thank you for the quick response! I'll debug my webserver and check my parameters again. Also, I will post a comment with results laterGerger
Unfortunately, I did not succeed. I've updated my post at the bottom. Could you give it a look please and tell me if you have any slightest suggestions? Thank you!Gerger
I've updated my answer to provide additional information.Hide
Thank you so much! Now it works! I thought I have to generate state parameter on my own. And I tested my web server using a simple REST client but I had to test it using Google Assistant because it generates state.Gerger

© 2022 - 2024 — McMap. All rights reserved.