The OAuth-based Google Sign-in "Streamlined" linking type adds Google Sign-In on top of OAuth-based account linking. This provides seamless voice-based linking for Google users while also enabling account linking for users who registered to your service with a non-Google identity. Show
This linking type begins with Google Sign-In, which allows you to check if the user's Google profile information exists in your system. If the user's information isn't found in your system, a standard OAuth flow begins. The user can also choose to create a new account with their Google profile information. Figure 1: After your Action gets access to the user's Google profile, you can use it to find a match for the user in your authentication system.To perform account linking with the Streamlined linking type, follow these general steps:
Support account creation via voiceIf you allow user account creation via voice, Assistant asks the user whether they want to do the following:
Allowing account creation via voice is recommended if you want to minimize the friction of the account creation flow. The user only needs to leave the voice flow if they want to sign in using an existing non-Google account. Disallow account creation via voiceIf you disallowed user account creation via voice, Assistant opens the URL to the web site that you provided for user authentication. If the interaction is happening on a device that doesn't have a screen, Assistant directs the user to a phone to continue the account linking flow. Disallowing creation is recommended if:
Implement OAuth-based Google Sign-in "Streamlined" linkingAccounts are linked with industry standard OAuth 2.0 flows. Actions on Google supports the implicit and authorization code flows. In the implicit code flow, Google opens your authorization endpoint in the user's browser. After successful sign in, you return a long-lived access token to Google. This access token is now included in every request sent from the Assistant to your Action. In the authorization code flow, you need two endpoints:
Although the implicit code flow is simpler to implement, Google recommends that access tokens issued using the implicit flow never expire, because using token expiration with the implicit flow forces the user to link their account again. If you need token expiration for security reasons, you should strongly consider using the auth code flow instead. Configure the projectTo configure your project to use Streamlined linking, follow these steps:
Implement your OAuth serverTo support the OAuth 2.0 implicit flow, your service makes an authorization endpoint available by HTTPS. This endpoint is responsible for authenticating and obtaining consent from users for data access. The authorization endpoint presents a sign-in UI to your users that aren't already signed in and records consent to the requested access. When your Action needs to call one of your service's authorized APIs, Google uses this endpoint to get permission from your users to call these APIs on their behalf. A typical OAuth 2.0 implicit flow session initiated by Google has the following flow:
When your Action needs to perform account linking via an OAuth 2.0 implicit flow, Google sends the user to your authorization endpoint with a request that includes the following parameters:
For example, if your authorization endpoint is available at GET https://myservice.example.com/auth?client_id=GOOGLE_CLIENT_ID&redirect_uri=REDIRECT_URI&state=STATE_STRING&response_type=token For your authorization endpoint to handle sign-in requests, do the following steps:
Google's OAuth 2.0 redirect handler will receive the access
token and confirm that the Handle automatic linkingAfter the user gives your Action consent to access their Google profile, Google sends a request that contains a signed assertion of the Google user's identity. The assertion contains information that includes the user's Google Account ID, name, and email address. The token exchange endpoint configured for your project handles that request. If the corresponding Google account is already present in your authentication system, your token exchange endpoint returns a token for the user. If the Google account
doesn't match an existing user, your token exchange endpoint returns a The request has the following form: POST /token HTTP/1.1 Host: oauth2.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&intent=get&assertion=JWT&consent_code=CONSENT_CODE&scope=SCOPES Your token exchange endpoint must be able to handle the following parameters:
When your token exchange endpoint receives the linking request, it should do the following: Validate and decode the JWT assertionYou can validate and decode the JWT assertion by using a JWT-decoding library for your language. Use Google's public keys (available in JWK or PEM format) to verify the token's signature. When decoded, the JWT assertion looks like the following example: { "sub": 1234567890, // The unique ID of the user's Google Account "iss": "https://accounts.google.com", // The assertion's issuer "aud": "123-abc.apps.googleusercontent.com", // Your server's client ID "iat": 233366400, // Unix timestamp of the assertion's creation time "exp": 233370000, // Unix timestamp of the assertion's expiration time "name": "Jan Jansen", "given_name": "Jan", "family_name": "Jansen", "email": "", // If present, the user's email address "locale": "en_US" } In addition to verifying the token's signature, verify that the assertion's issuer ( Check if the Google account is already present in your authentication systemCheck whether either of the following conditions are true:
If either condition is true, the user has already signed up and you can issue an access token. If neither the Google Account ID nor the email address specified in the assertion matches a user in your database, the user hasn't signed up yet. In this case, your token exchange endpoint should reply with a HTTP 401 error, that specifies HTTP/1.1 401 Unauthorized Content-Type: application/json;charset=UTF-8 { "error":"user_not_found", } When Google receives the 401 error response with a Handle account creation via Google Sign-InWhen a user needs to create an account on your service, Google makes a request to your token exchange endpoint that specifies POST /token HTTP/1.1 Host: oauth2.example.com Content-Type: application/x-www-form-urlencoded response_type=token&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&scope=SCOPES&intent=create&consent_code=CONSENT_CODE&assertion=JWT[&NEW_ACCOUNT_INFO] The To respond to account creation requests, your token exchange endpoint must do the following: Validate and decode the JWT assertionYou can validate and decode the JWT assertion by using a JWT-decoding library for your language. Use Google's public keys (available in JWK or PEM format) to verify the token's signature. When decoded, the JWT assertion looks like the following example: { "sub": 1234567890, // The unique ID of the user's Google Account "iss": "https://accounts.google.com", // The assertion's issuer "aud": "123-abc.apps.googleusercontent.com", // Your server's client ID "iat": 233366400, // Unix timestamp of the assertion's creation time "exp": 233370000, // Unix timestamp of the assertion's expiration time "name": "Jan Jansen", "given_name": "Jan", "family_name": "Jansen", "email": "", // If present, the user's email address "locale": "en_US" } In
addition to verifying the token's signature, verify that the assertion's issuer ( Validate user information and create new accountCheck whether either of the following conditions are true:
If either condition is true, prompt the user to link their existing account with their Google Account by responding to the request with an HTTP 401 error, specifying HTTP/1.1 401 Unauthorized Content-Type: application/json;charset=UTF-8 { "error":"linking_error", "login_hint":"" } If neither condition is true, create a new user account using the information provided in the JWT. New accounts do not typically have a password set. It is recommended that you add Google Sign In to other platforms to enable users to log in via Google across the surfaces of your application. Alternatively, you can email the user a link that starts your password recovery flow to allow the user to set a password for signing in on other platforms. When the creation is completed, issue an access token and return the values in a JSON object in the body of your HTTPS response, like in the following example: { "token_type": "Bearer", "access_token": "ACCESS_TOKEN", "expires_in": SECONDS_TO_EXPIRATION } Design the voice user interface for the authentication flowCheck if the user is verified and start the account linking flow
After saving, a new account linking system scene called Customize the account linking scene
Handle data access requestsIf the Assistant request contains an access token, check first that the access token is valid and not expired and then retrieve from your user account database the user account associated with the token. Which term refers to the matching of a user to an account through previously shared credentials quizlet?The best algorithms are always public algorithms that have been published for peer review by other cryptographic and mathematical experts. True. Which term refers to the matching of a user to an account through previously shared credentials? Authentication.
Which term refers to the step between the account having access and the account being removed from the system?Which term refers to the step between the account having access and the account being removed from the system? Account disablement.
Which term refers to a system or application that acts as a go between for clients requests for network services?Proxies, or proxy servers, are the application-layer servers, computers or other machines that go between the client device and the server.
Which term refers to a system or application that acts as a go between for clients requests for network services quizlet?Proxy (server) A server that acts as an intermediary for requests from clients seeking resources from other servers. The proxy server will evaluate a request, as a way to simplify and control its complexity. The most common type of proxy today is a web proxy, that facilitates access to content on the World Wide Web.
|