0

I'm working on creating a smart home action for Google Assistant that will integrate with my REST API server, but I'm having trouble with the OAuth 2.0 step, detailed in this guide

Apparently, there are two endpoints needed:

  1. An authorization endpoint that returns an authorization code
  2. A token exchange endpoint that takes the auth code and returns access and refresh tokens

I understand the details of building these endpoints, with one exception. In the authorization code endpoint, you have to:

  1. Check if the user is signed in to your service. If the user isn't signed in, complete your service's sign-in or sign-up flow.
  2. Generate an authorization code for Google to use to access your API. The authorization code can be any string value, but it must uniquely represent the user, the client the token is for, and the code's expiration time, and it must not be guessable. You typically issue authorization codes that expire after approximately 10 minutes.

Both of these steps require that the OAuth server have information about the user, but the call to the endpoint (made by Google) only provides the following:

  • client_id
  • redirect_uri
  • state
  • scope
  • response_type
  • user_locale

As far as I know, none of these allow you to retrieve the user.

Is there something I'm missing here, or can I skip step 2 (signing in the user) and generate the auth code (step 3) without representing the user in the code?

I'm thinking the auth code needs to have user info so that when it is then sent to the token exchange endpoint, we can know which user to generate tokens for.

MattR
  • 127
  • 2
  • 11

2 Answers2

1

I have used keyclock server for OAuth 2.0 with an authorization code grant type for authentication.

In OAuth 2.0 with authorization code grant type, there are two types of URLs first is Auth URL and the second is Access Token URL

When Auth URL executes it will redirect to the login page where we need to login with our user name and password and it will give auth code

then google will use that code to create an access token and used token for accessing resource services like (SYNC, QUERY, EXECUTE, and DISCONNECT).

Hardik Dobariya
  • 21
  • 3
0

OAuth2.0 is not covered the authentication process, in fact it is the delegated authorization framework. But in a real-world situation, your system needs to know to whose resources you are going to grant access unless you only have a single group of resources and do not belong to any specific users (this case you can skip the authentication/login page).

As far as I know, none of these allow you to retrieve the user.

-> Yes, you are right. To solve this problem you need to create your login page as the authorization endpoint and make users to login with their credentials so that you will know exactly who is going to grant 3rd party (Google service) to access their resources.

Is there something I'm missing here, or can I skip step 2 (signing in the user) and generate the auth code (step 3) without representing the user in the code?

-> I think you misunderstand the concept of how Oauth2.0 is defined but yeah you can skip step No.2 and google doesn't care about it (if your requirement matches what I described above) they just recommend the usual flow.

I'm thinking the auth code needs to have user info so that when it is then sent to the token exchange endpoint, we can know which user to generate tokens for.

-> Yes, you are right.

Anukoon Suchinda
  • 26
  • 4