3

So I'm trying to use the Home Graph API by calling the API endpoint 

https://homegraph.googleapis.com/v1/devices:requestSync

It is a HTTP POST request and it needs an ACCESS_TOKEN and service account key.

Getting the service account key is easily done as per Google's documentation. The issue is getting the ACCESS_TOKEN.

As per this documentation by Google, I need to get ACCESS_TOKEN created using the following scope of permissions

https://www.googleapis.com/auth/homegraph

I opened OAuth 2.0 Playground to request a developer temporary ACCESS_TOKEN for testing. I wrote all the necessary urls and in scope I wrote this- scope is written to be authorized

Now after this, I am navigated to my Authorization URL (ie, Google's sign in page). I login with email id and password.

If credentials are correct and scope mentioned is valid then I should have been redirected to OAuth playground page with authorization code which I would have exchanged for access token and refresh token.

But, what actually happens is after I enter my credentials, I get following error and I am never redirected to Oauth Playground page-

Authorization Error

Error 400: invalid_scope

Some requested scopes cannot be shown: [https://www.googleapis.com/auth/homegraph]

Request Details

access_type=offline

o2v=2 response_type=code

redirect_uri=https://developers.google.com/oauthplayground

prompt=consent client_id=xxxxxxxxx.apps.googleusercontent.com

scope=https://www.googleapis.com/auth/homegraph**

I searched a lot online too, but couldn't find the actual reason. So due to this issue with scope, I am not able to get ACCESS_TOKEN.

I have followed Google's documentation and the scope was mentioned there.

This is the pic from oauth 2.0 playground settings- OAuth 2.0 configuration

Prisoner
  • 49,922
  • 7
  • 53
  • 105
Swati
  • 33
  • 1
  • 5
  • Im not exactly sure i understand what you are trying to do. Google home should be linking to your authorization server though [account linking](https://developers.google.com/assistant/identity/oauth2?oauth=code) in order to authenticate your users. Google cant authenticate the users in your system. – Linda Lawton - DaImTo May 29 '20 at 06:46
  • It's a google user. If i navigate the user to google's authorization server, it should authenticate that user, right? I have updated the original question and added a screenshot in the end. – Swati May 29 '20 at 12:12
  • Google doesnt allow you to use their authorization server you need to use your own authorization server then use account linking to link their account on your server to their google account. – Linda Lawton - DaImTo May 29 '20 at 12:20
  • But my query is how will the ACCESS_TOKEN generated by my authorization server will be authorized by Google? I mean my ultimate goal is to make POST request to **https://homegraph.googleapis.com/v1/devices:requestSync** api. – Swati May 29 '20 at 12:23

2 Answers2

1

The issue is that you, a user, should not be getting and sending an access token. The service account should be getting and sending an access token. This is to make sure your service is authorized to talk to the Home Graph API.

You indicated you logged into the OAuth playground with "userid and password". But service accounts don't have passwords.

If you are using one of Google's libraries, it will take care of getting the access token for you, and this is the easiest way to do so. If you are just testing and need an access token, you can use something like oauth2l to get the access token based on the service account credentials.

Prisoner
  • 49,922
  • 7
  • 53
  • 105
  • sorry for late reply. I understand that to integrate requestSync call I can use action-on-google library. I was thinking if the same could have been done using simple http request to a Google API. But i guess that is not possible. We have to use the library. Correct? – Swati Jun 01 '20 at 14:26
1

I had implemented the REST approach to call HomeGraph Report State as below.

We need to follow the below steps:

  1. Create a service account for your project and safely store the json file
  2. Using the service account JSON, get the access token from Google
  3. Using Oauth 2.0 token as Bearer authorization, invoke Report State API

Step 1: This is straightforward. Please follow the steps in the below link https://developers.google.com/assistant/smarthome/develop/report-state#expandable-1

Step 2: Refer below code to get the Access token using service account json

GoogleCredentials credentials = GoogleCredentials
                .fromStream(Helper.class.getClassLoader().getResourceAsStream("smart-home-key.json"))
                .createScoped("https://www.googleapis.com/auth/homegraph");
        credentials.refreshIfExpired();
        AccessToken token = credentials.getAccessToken();
        return token.getTokenValue();

Step 3: Invoke Report State API

curl -X POST -H "Authorization: Bearer [[Access token from Step 2]]"
-H "Content-Type: application/json"
-d @request-body.json
"https://homegraph.googleapis.com/v1/devices:reportStateAndNotification"

Reference Links : https://developers.google.com/assistant/smarthome/develop/report-state#http-post https://cloud.google.com/endpoints/docs/openapi/service-account-authentication https://developers.google.com/identity/protocols/oauth2/service-account#httprest_1 https://developers.google.com/assistant/smarthome/develop/report-state#expandable-1

Jeyakumaar
  • 11
  • 3