I've been trying to figure out the proper way to do account linking using Google as the oAuth 2 provider so the user can authorize access to their google contacts for my skill. The first question I need to understand is, should the Account Link url go directly to Google's auth (
https://accounts.google.com/o/oauth2/auth) or should it go to a page I control and then use something like Google Sign In (
https://developers.google.com/identity/sign-in/web/)? Any details would be appreciated here as google has so many different options for getting API access on behalf of a user. In the former case, when google redirects after auth, the token is in the URL fragment, so my server will not be able to get the access token. I would have google redirect directly to the account linking redirect URL, but in the docs it says "When generating the access token, provide a token specific to your resource server. Do not use access tokens provided by other OAuth providers such as Google or Facebook." So if the account link URL is supposed to go directly to google's auth url, what is the proper way to get the access token for storage in my DB?
I suppose you could do it either way, but you can have the account linking URL point directly to Google oAuth2. Perhaps you could help me understand why your server can't grab the code(token) from the URL fragment? You should be able to grab that code and exchange it for an access token. You can then save that access token to your DB (along with any other user information you need) and then redirect back to the account linking redirect URL. Steve
Thanks for the response! When Google redirects, the access code comes after the # sign in the url ..everything after a # sign is a fragment identifier. Browser's won't send the fragment in the request to the server because they are only meant to be used by the client. My understanding is that this is actually why they are used in this case. In Implicit Grant oAuth flow, the access token is only meant to be used by the client. Allowing it to be sent to the server in that type of oAuth flow would be a security problem. Maybe I am wrong somewhere here, but that is my understanding of the situation.
https://en.wikipedia.org/wiki/Fragment_identifier Edit: Added wikipedia link
Oh, and according to the docs, Amazon sends a request_type of "token" when it requests the account link page. If that is the case, google would redirect with the access_token directly rather than the temporary code to exchange for the access_token.
Hey there. It's been a while since I implemented this, so I'd have to go back and look at the code. But, I think way I did it, after the user approves the request to access google, google sends and authorization code in the response, like this: https://myapp_oauth2callback_example/auth?code=4/weoiwr23r09weower I then grabbed that code value, exchanged it for google oAuth tokens, saved the tokens and user info, and then redirected to the account linking redirect URL. Sorry this isn't of more help! Steve
Yeah, that is another type of oAuth flow, but according to amazon's docs, they set response_type=token. In order to get the type of response you describe, response_type has to best to "code". So, in order to do that type of flow, I would think that you would have to link to your own page first (for the Account Linking URL) so that you can control the value of response_type that gets sent to google... unless maybe that value can be overridden when you put the account link URL in publication form? It would be great if you could check your code and let me know what you did. Thanks!
So I tried setting my Account Link URL to something like this...
https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=(url to my server where I would grab the auth "code" and then proceed from there) Notice I tried to set response_type to "code" instead of "token". This doesn't work. It looks like amazon forces the response_type to "token", and so the type of oAuth flow you describe will not happen. :(
Thanks very much! Yeah, like i said, I expected that you would need to go to your own server (or page) before going to google auth. You said before that you could go directly to google auth, and that is what had me confused. If you go directly to google auth, you can't get a code to exchange for tokens, you would get just the access token (because amazon passes response_type=token). The code is needed so you can also get a refresh token. "I have already setup the redirect URI in the Google dev console to point to my Amazon redirect URI" Based on what you say after that, I think you mean to say that in the Google dev console, you point to your server which then eventually redirects to your Amazon redirect URI, right? null