Setup Authenticated Actions on Google with Auth0
If you want to create Actions on Google that integrate with a users Facebook, Github, Pinterest, etc, then you are at the right blog!
This article assumes that you already know how to create an action on google, but now you want to take it up a notch. To integrate with one of these services you must be able to link it with a user’s google account. This is called Account Linking which requires you to authenticate the user. There are two flows for authenticating: Implicit Flow or Authorization Code Flow. I highly suggest to read both of the flows overview’s for your own understanding.
After reading those flows the first time and you’re feeling like this…
Don’t fret! This flow can be handled in a bunch of clicks and copy & pasting.
To do this I suggest to use Auth0. I found their solution to be more straightforward and simple and that allows you to just worry about building your action! First things first, sign up for an account with Auth0!
Setting up Auth0
When you sign up for Auth0, you will be asked to create a Tenant Domain name. Give this a recognizable name since you’ll need it later.
Domains: It’s the base URL you will be using to access our (Auth0s) API and the URL where users are redirected in order to authenticate.
Once you’re signed in click on ‘Applications’ on the left and click the ‘Create Application’ button!
Give your project whatever name you want and make sure to click ‘Machine to Machine Applications’, then click ‘Create’!
Then you’ll see a drop down and select ‘Auth0 Management API’. You will be using this API later in your webhook to get users who have authenticated themselves. To get a user with the management API, you need to at least enable ‘read:users’ and ‘read:user_idp_tokens’ scopes and then can click ‘Authorize’!
Go back to the ‘Applications’ page and click on the application you just created. There you should something like client ID, client Secret, etc..
Scroll down to the ‘Allowed Callback URLs’. The URLs you enter here are URL’s that will redirect the access_token after authenticating.
URLs to enter are: https://oauth-redirect.googleusercontent.com/r/yourGoogleCloudProjectID, https://developers.google.com/oauthplayground
In order to create one of the URLs, you need to know the google cloud project id that is associated with your project. To figure the id out, you can go to the actions console and look for the label above your project name. Below, ‘github-helpa’ is my google cloud project id for the ‘code helper’ project and I use https://oauth-redirect.googleusercontent.com/r/github-helpa.
Scroll to the bottom of ‘Applications’ page to ‘Show Advanced Settings’.
Click ‘Show Advanced Settings’ and click over to ‘Grant Types.’ Make sure that the ‘Client Credentials’ is checked! If you’re going to support the Implicit Flow only, make sure ‘Implicit’ is checked and if only Authorization Code Flow, then make sure to check ‘Authorization Code’ and ‘Refresh Token’. However, having each checked works as well and make sure to click ‘Save Changes’!
Still in ‘Advanced Settings’, click over to ‘Endpoints’. Jot down your unique ‘Authorization URL’ and ‘Token URL’.
Phew! Half way there!! You made it this far so congratulations!!!
So far you’ve created a Tentant Domain name, a Machine to Machine Application in Auth0, created and authorized your own Management API that supports the necessary scopes, added information into the Callback URLs, updated the Grant Types to support your flow, and now know about your auth and token endpoints!
Link a Social Site to Auth0
Next, choosing an Identity Provider!
“An Identity Provider is a server that can provide identity information to other servers. For example, Google is an Identity Provider. If you log in to a site using your Google account, then a Google server will send your identity information to that site.”
After clicking on an Identity Provider to integrate with, like Github. You will be navigated to a detailed HOW-TO page on setting up the provider. After the setup, you are done adding into Auth0!
Connecting your Auth0 to Actions on Google
Go to Actions On Google console and select your project. Scroll down on the nav drawer to the left until you see ‘Advanced Options’. Under ‘Advanced Options’ click on ‘Account Linking’ and you should see something like below.
The ‘Account Creation’ and ‘Linking Type’ is up to you, but for simplicity I chose ‘No’ to account creation by voice and ‘OAuth’ for linking type. For OAuth flow type I suggest using ‘Authorization Code’ instead of implicit since it is more secure. The Client ID and Client Secret to add are your Auth0’s machine-to-machine application credentials. Next, the ‘Authorization URL’ and ‘Token URL’ are your unique URLs I mentioned to jot down. Lastly, scroll down and you should see ‘Configure your client’.
Feel free to use the scopes I provided, but make sure to at least add ‘openid’. Adding a scope adds specific information about the user in a token that you’ll receive later when using Auth0’s Authentication API. Save your changes and you’re officially done with setting up authentication!
Enabling Account Linking
Up to this point you’ve setup an Auth0 application and connected it to both an Identity Provider and an action on google. All this work was done just to setup Account Linking, but now you need a user to enable it! A user can enable Account Linking in two ways: either when invocating your agent or during the conversation. When a user authenticates, you can use a helper tool to get the access_token in your webhook.
However, this access token is for your Auth0 application and not the OAuth token for the social service. For instance, to make an authenticated Github api call, you must take this access_token back to your Auth0 application in return for a token that has the user’s id. Then you’ll use your Management API with user’s id to return the social OAuth token. You are in luck! I wanted to streamline this process so I built auth0-in-action. This library does the heavy lifting to return the OAuth token from the access_token you received.
I hope this article was helpful in making this process less daunting. Happy building out your awesome authenticated actions on google!
