4

Very simple use case explaining my problem: Given my app asks for a pin for some interactions. Now the user gives me three times a wrong pin. Then, I want to reset his access and force him to re-link his account. I can do this pretty easily in my internal database, but I need a way to tell google that his currently used token is not valid anymore. Else, Google Assistant resists in sending me the now rejected token.

Update 2018-03-01: With the new built-in intents/events, I also tried sending the actions_intent_SIGN_IN event via the followupEvent attribute, but this only lead google assistant to recall my api with GOOGLE_ASSISTANT_WELCOME (with the old oauth token..) instead of restarting the sign in workflow.

Original post

I have a google assistant app with dialogflow, which forces the user to be signed in to use my app. The initial oauth workflow works and I do get the token in all api calls.

Now I want to force the user to re-run the account linking workflow under certain circumstances. To do so, I remove the oauth token from my internal database and send exactly this response to the user, which should equal to an app.askForSignIn() call if you are using the sdk: https://github.com/actions-on-google/actions-on-google-nodejs/blob/fe29016d472eeb1d080e2b575236076e9341199e/test/dialogflow-app-test.js#L1827

enter image description here

But this doesn't work. The assistant does not tell the user to re-run the oauth linking workflow, and does not delete it's stored oauth token. It doesn't even use it's refresh token to get a new access token!

In addition, instead of using the "speech" attribute of my response, the simulator answers with "Sorry, I didn't get any response." - although my simulator is configured to speak German.

(I also tried to leave out several probably unneeded parameters like the contextOut attribute. This results in a different request than the one stated in the official sdk sources, but does not give the desired results either.)

Toni
  • 1,593
  • 1
  • 11
  • 21
  • Are you sending a response indicating that you have a bad token? – Nick Felker Nov 20 '17 at 16:09
  • @NickFelker What kind of response do I have to send then? I don't find anything in the docs (https://developers.google.com/actions/identity/account-linking) regarding this. The only thing stated there is to send `actions.intent.SIGN_IN` to start the account linking workflow, and this is what I tried. – Toni Nov 20 '17 at 18:15
  • Do you send a 400 with the text 'invalid code' or 'expired code'? ie. https://github.com/actions-on-google/actionssdk-smart-home-nodejs/blob/master/smart-home-provider/cloud/auth-provider.js#L317 – Nick Felker Nov 21 '17 at 00:42
  • @NickFelker You are describing the response of my oauth endpoint, don't you? The problem is that my oauth endpoint *is not retriggered at all*. But after your response, I also tried to send a 400 response with 'invalid code' from my dialogflow webhook - this only resulted in a "validation error" in my google actions simulator. So the question still is: How do I tell google assistant to grab a new oauth token / to restart account linking? – Toni Nov 22 '17 at 12:50
  • What if you sent an `expired code` error? That should indicate that a new OAuth token needs to be obtained and it should send the refresh token. – Nick Felker Nov 22 '17 at 15:42
  • @NickFelker So you mean sending a http 400 with body `expired code` **to Dialogflow**? This didn't help either, the web simulator again just gave me a validation error. Actually, any other result would have surprised me: Why would dialogflow care about my oauth token? Wouldn't I have to to put anything in the `data: { google: {} }` hash instead, like I tried it above with `actions.intent.SIGN_IN`? – Toni Nov 23 '17 at 15:06
  • My feedback is more in regards to having a working oauth server. I'm less sure why it wouldn't be working with account linking in Dialogflow – Nick Felker Nov 23 '17 at 15:12
  • @NickFelker My oauth endpoint is working. Refrehsing tokens etc. work if the token is expired. All the question is about is how to force Google Assistant (through dialogflow) to restart account linking / grab a new token before the token is expired ordinarily. For example if my app suspects that my client's identity was stolen because of the way he or she interacts with the app. In that case, I want to force the user to relink his account instantly. But how?! – Toni Nov 23 '17 at 16:32
  • @NickFelker For example: Given my app asks for a pin for some interactions. Now the user gives me three times a wrong pin. Then, I want to reset his access and force him to re link his account. I can do this pretty easily in my internal database, but I need a way to tell google that his currently used token is not valid anymore. Else, Google Assistant resists in sending me the now rejected token.. – Toni Nov 23 '17 at 16:51
  • 1
    That is an interesting use case. Unfortunately I am unsure of the answer. – Nick Felker Nov 28 '17 at 18:51
  • @NickFelker Are there any plans when this will be available? This is no problem for Alexa, and imho shouldn't be a problem for any voice/oauth app. – Toni Jan 31 '18 at 10:17

2 Answers2

2

Dealing with same issue, I was advised to send a 401 response if you desire to remove the stored DF token. DF does not have an implicit Revoke Token intent.

Bill McCracken
  • 91
  • 2
1

Sadly, Dialogflow do not seems to reset the token with a status 401 error response.

Google exposes an API for revoking access and refresh tokens.
For that, you have to send the following request
https://accounts.google.com/o/oauth2/revoke?token={token}.

See the different implementations

EDIT: It seems you only have to make Dialogflow reset its state. Just proceed to make an edition on Dialogflow console seems to clean the access token.

Yann D.
  • 11
  • 3
  • I tried to revoke my access token using this and I keep getting "invalid_token" response. I am supplying my `accessToken` as is available in the conv json (through `conv.user.raw.accessToken`). What am I doing wrong? – ofekp Jun 22 '19 at 20:46