-1

I have an Azure service using Azure Active Directory for authentication/authorization. I am trying to set up a google action fulfillment (using a webhook) to access this service for information regarding the user. Trying to use Account Linking for this.

The issue is I am not receiving an access token in my service when the action fulfillment makes the call via the webhook. It is supposed to be in the request body inside the User object. So I'm always getting a 401 response.

It seems the fulfillment expects to authenticate itself using the signed in google user's account via OAuth (correct me if I'm wrong). However, I'd like my service to authenticate each fulfillment request using a single Azure AD account, and not each individual google user account. My Azure AD has no knowledge of google users.

How would I achieve this? I have configured Account Linking to use OAuth using my service's secret and appId, etc. The setup is correct on the Azure side, since I can retrieve a valid token using Postman for eg.

shek
  • 215
  • 1
  • 2
  • 11
  • 2
    @jww - The question is completely in scope. It is asking a programming question about Actions on Google, which is an API, trying to contact a webhook they have setup on Azure. AoG provides some authentication services, and the OP appears to be asking how those work with the auth services provided through Azure. This is not a system administration nor a webapp question. – Prisoner Sep 22 '18 at 18:06
  • Thanks @Prisoner. My bad. It looked like a configuration question to me. – jww Sep 23 '18 at 00:46
  • *Questions seeking debugging help ("why isn't this code working?") must include the desired behavior, a specific problem or error and the shortest code necessary to reproduce it in the question itself. Questions without a clear problem statement are not useful to other readers. See: [How to create a Minimal, Complete, and Verifiable example](http://stackoverflow.com/help/mcve).* – jww Sep 23 '18 at 00:46
  • For those downvoting - this is a programming design question. The question is relatively clear and makes sense within the problem domain. – Prisoner Sep 23 '18 at 11:55

1 Answers1

2

It sounds like there are two different types of authentication you are trying to do here:

  1. You want to make sure that the call to your webhook is coming from Actions on Google.

  2. You want to know who the user is that is calling your Action.

As you noted, (2) is handled by including the auth token as part of the body of the request. You are expected to authenticate that once your webhook is called, which is why it is not provided as part of the Authentication header. This is what the Assistant does when it does Account Linking - if you don't need to do this, you don't need Account Linking enabled for your Action.

(1) is handled differently depending how you have built your Action. If you are using the Action SDK, then a JWT Token will be sent in the header which you should verify as being for your project and signed by Google. If you are using Dialogflow, you can configure the fulfillment to send headers or basic authentication which you can verify on your webhook.

Neither the Action SDK nor Dialogflow support OAuth 2.0 / OpenID Connect headers when calling the fulfillment server (I don't know why for sure, but my speculation is that it adds a great deal of complexity for very minimal security benefit). If you can't support either of these schemes when you're dealing with (1), then you will need to setup a proxy that can do something like:

  1. Take the authentication information (either the JWT from the Action SDK or the static header information from Dialogflow)
  2. Verify it is valid
  3. Get a currently valid token against your AD
  4. Re-issue the command to your AD protected resource with the token.
Prisoner
  • 49,922
  • 7
  • 53
  • 105
  • Thank you for breaking that down. I realize I was unclear. I do not want to do (2). There is no mapping between the google user to any user in Azure. Instead, I want my app itself to be registered with AzureAD and use its own id/secret to authenticate against Azure and use a auth token for all of its webhook calls. Is this possible? Basically how can I set the `Authorization: Bearer ` header in my webhook(s) to call Azure dynamically based on Azure's Oauth. I won't be able to copy paste a permanent and static `` into the webhook setup. Seems account linking will achieve (2) ? – shek Sep 23 '18 at 08:01
  • Updated my answer to hopefully address what you're asking, but I'm not sure you'll like the answer. – Prisoner Sep 23 '18 at 11:53
  • Thanks, makes sense. I expected a proxy would be needed. Also thanks for defending the question :) – shek Sep 23 '18 at 15:28