question

Steve asked Dec 18, '15

Account linking with Google?

I've been trying to figure out the proper way to do account linking using Google as the oAuth 2 provider so the user can authorize access to their google contacts for my skill. The first question I need to understand is, should the Account Link url go directly to Google's auth ( https://accounts.google.com/o/oauth2/auth) or should it go to a page I control and then use something like Google Sign In ( https://developers.google.com/identity/sign-in/web/)? Any details would be appreciated here as google has so many different options for getting API access on behalf of a user. In the former case, when google redirects after auth, the token is in the URL fragment, so my server will not be able to get the access token. I would have google redirect directly to the account linking redirect URL, but in the docs it says "When generating the access token, provide a token specific to your resource server. Do not use access tokens provided by other OAuth providers such as Google or Facebook." So if the account link URL is supposed to go directly to google's auth url, what is the proper way to get the access token for storage in my DB?

alexa skills kit submission testing certification

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A answered Dec 18, '15

I suppose you could do it either way, but you can have the account linking URL point directly to Google oAuth2. Perhaps you could help me understand why your server can't grab the code(token) from the URL fragment? You should be able to grab that code and exchange it for an access token. You can then save that access token to your DB (along with any other user information you need) and then redirect back to the account linking redirect URL. Steve

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve answered Dec 18, '15

Thanks for the response! When Google redirects, the access code comes after the # sign in the url ..everything after a # sign is a fragment identifier. Browser's won't send the fragment in the request to the server because they are only meant to be used by the client. My understanding is that this is actually why they are used in this case. In Implicit Grant oAuth flow, the access token is only meant to be used by the client. Allowing it to be sent to the server in that type of oAuth flow would be a security problem. Maybe I am wrong somewhere here, but that is my understanding of the situation. https://en.wikipedia.org/wiki/Fragment_identifier Edit: Added wikipedia link

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve answered Dec 18, '15

Oh, and according to the docs, Amazon sends a request_type of "token" when it requests the account link page. If that is the case, google would redirect with the access_token directly rather than the temporary code to exchange for the access_token.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A answered Dec 18, '15

Hey there. It's been a while since I implemented this, so I'd have to go back and look at the code. But, I think way I did it, after the user approves the request to access google, google sends and authorization code in the response, like this: https://myapp_oauth2callback_example/auth?code=4/weoiwr23r09weower I then grabbed that code value, exchanged it for google oAuth tokens, saved the tokens and user info, and then redirected to the account linking redirect URL. Sorry this isn't of more help! Steve

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A answered Dec 18, '15

Here, this might be helpful. https://developers.google.com/identity/protocols/OAuth2WebServer I used one of the client libraries and followed the flow I outlined above, exchanging the code passed in the URI for an access token. Best, Steve

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve answered Dec 18, '15

Yeah, that is another type of oAuth flow, but according to amazon's docs, they set response_type=token. In order to get the type of response you describe, response_type has to best to "code". So, in order to do that type of flow, I would think that you would have to link to your own page first (for the Account Linking URL) so that you can control the value of response_type that gets sent to google... unless maybe that value can be overridden when you put the account link URL in publication form? It would be great if you could check your code and let me know what you did. Thanks!

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve answered Dec 18, '15

So I tried setting my Account Link URL to something like this... https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=(url to my server where I would grab the auth "code" and then proceed from there) Notice I tried to set response_type to "code" instead of "token". This doesn't work. It looks like amazon forces the response_type to "token", and so the type of oAuth flow you describe will not happen. :(

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A answered Dec 18, '15

Steve, So, I set my skills account linking to a page of mine, and grab the state param. Then I redirect to google using an address like this: https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=CLIENT-ID-HERE.apps.googleusercontent.com&redirect_uri=https://mycallbackuri.com&response_type=code&scope=https://www.googleapis.com/auth/calendar I have already setup the redirect URI in the Google dev console to point to my Amazon redirect URI. So, once the user accepts the Google auth, the Google flow directs the user back to that URI. I've saved Amazon state param previously (since Google does not pass that info back). But Google does hand me a code that I then swap for access and refresh tokens. Then I generate my own access code for the user, save all of that to my db (google tokens, and my access token) and redirect back the the Amazon redirect URL, passing the Amazon state param that I've saved and the access token I've generated. That's the whole flow. Steve

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve answered Dec 19, '15

Thanks very much! Yeah, like i said, I expected that you would need to go to your own server (or page) before going to google auth. You said before that you could go directly to google auth, and that is what had me confused. If you go directly to google auth, you can't get a code to exchange for tokens, you would get just the access token (because amazon passes response_type=token). The code is needed so you can also get a refresh token. "I have already setup the redirect URI in the Google dev console to point to my Amazon redirect URI" Based on what you say after that, I think you mean to say that in the Google dev console, you point to your server which then eventually redirects to your Amazon redirect URI, right? null

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve answered Dec 19, '15

Also, just FYI, if you have "state" as a querystring value in your google auth URL, you will get it back when google redirects.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.