0

I'm having issues with trying to set up account linking with Google Assistant.

I'm using Azure AD B2C for my identity provider.

I've created a User flow so I have a authorize and token endpoint set up and I created an Azure AD Application so I have an App Id, and App Secret and I set the redirect URL as https://oauth-redirect.googleusercontent.com/r/{google-project-name}/.

My Google account linking settings are show below: Client ID is the App Id of the application I created in Azure AD.

Client Secret is the app secret of of the application I created in Azure AD

Auth URL is:

https://{b2c-name}.b2clogin.com/{b2c-name}.onmicrosoft.com/oauth2/v2.0/authorize?p={sign-in-policy-name}

Token URL is: 

https://{b2c-name}.b2clogin.com/{b2c-name}.onmicrosoft.com/oauth2/v2.0/token?p={sign-in-policy-name}

Google Account Linking Settings

When I got to https://console.actions.google.com/project/{google-project-name}/simulatorand try to go through the auth flow it pops up the box I put in my user name and password and then just stops.

I can see in Fiddler it redirects back to the redirect URL and then there is a 400.

{
  "error": {
    "code": 400,
    "message": "Bad response from IdP in Auth Code Exchange",
    "status": "FAILED_PRECONDITION"
  }
}

When I look in Fiddler at the request to the redirect URL it looks as expected with a state and code like this documentation says it should so I'm not sure what I'm doing wrong. I've double checked my App Id and regenerated the key.

https://oauth-redirect.googleusercontent.com/r/YOUR_PROJECT_ID?code=AUTHORIZATION_CODE&state=STATE_STRING

I've seen a few questions with similar error messages but none of the fixes suggested helped or applied.

Any help would be appreciated.

nastassiar
  • 1,545
  • 2
  • 24
  • 43
  • Hi @nastassiar. The above scopes aren't requesting an access token from Azure AD B2C which is expected to be returned to Google Assistant. What happens if you the client ID to the list of scopes? – Chris Padgett Jul 16 '19 at 07:13
  • Sorry can you explain? I'm following this: https://developers.google.com/actions/identity/oauth2?oauth=code An authorization code is successfully returned in the response to my google redirect endpoint but then I get the 400. – nastassiar Jul 16 '19 at 17:51
  • My assumption is that once I return an auth code to Google it should make a call to the my token endpoint with that code to exchange it for a access token. That call is never happening because Google is throwing a 400 – nastassiar Jul 16 '19 at 18:08
  • Hi @nastassiar. I believe this is happening but Google Assistant isn't accepting the Azure AD B2C response. I believe this is because the Azure AD B2C response doesn't contain the `access_token` parameter. I believe this is because you must add the client ID to the scope list in order to request an access token. – Chris Padgett Jul 17 '19 at 06:32
  • @ChrisPadgett I think you might be misunderstanding where I am in the flow. I am trying to send the authorization_code back to Google and then it should make another call out to my AAD B2C endpoints but this time the /token endpoint to exchange the auth code for an access_token. Google isn't even making that call out because it is sending a 400 when it receives that auth_code. If you look at the documentation: https://developers.google.com/actions/identity/oauth2?oauth=code Google isn't expecting an access_token at this step – nastassiar Jul 17 '19 at 20:00
  • And maybe I'm misunderstanding but I think the client_id is a way for my Oauth server to identify Google is who I think they are. Not the other way around. My understanding was the Scope were what the token had access to. It wouldn't be necessary to grant the user/Google access to the client_id when Google already has it. – nastassiar Jul 17 '19 at 20:02

0 Answers0