Reputation: 3827
"Accounts failed to link" error happens when I try to authorize Google Assistant at my Web service
First, I'd like to mention that problems like this had been discussed before in the topics like: How to authenticate user with just a Google account on Actions on Google?
But I could not find any information at all related to ways of linking Google Assistant app with my own web server.
Problem:
GET https://oauth-redirect.googleusercontent.com/r/my-google-assistant-app#access_token=ACCESS_TOKEN&token_type=bearer&state=STATE always returns "Account field to link" error 
A Way to Reproduce:
- I created a new project in Actions on Google Console
- I built an application using Dialogflow
- I created a Heroku Web Server as my webhook (ex: webhook.herokuapp.com)
So everything worked just fine. I've successfully connected my Google Assistant app with my webhook.
But then I decided to send requests to my another one Heroku Web Server (ex: webserver.herokuapp.com) which needs a user to be logged in. So I decided to implement account linking of my Google Assistant app with webserver.herokuapp.com
- I implemented Google-OAuth2 authorization at webserver.herokuapp.com. Also I want to mention that I used Client ID and Client Secret of my Google Assistant App
So, Google Authorization worked perfectly at my webserver.herokuapp.com
- Then I enabled account linking settings for my Google Assistant app with Implicit Flow
So, that's it!
Epilogue
I open Google Assistant, tell it "Talk to my test app", then it greets me and offers me to link accounts. I say "yes". Then I see how Google Assistant requests my login URL at webserver.herokuapp.com. Then I enter my Google email and password. As a result I logged in at my webserver! Then my webserver makes a redirection to:
And I get the error I've described at the top of my post.
Any help would be appreciated
UPDATE with parameter information
These are my constants:
Google Assistant Project_ID = nodejs-sdk-local-test
Google Assistant Client_ID = 1067979601708-ldr3ga115es3fdo823slfnj46gjoes66.apps.googleusercontent.com
state = manually_set_state_value
The flow is I open my Google Assistant and say "Ok Google, talk to my test app", it answers my request and then I say something like "do some action which need authorization". Google Assistant app offers me to link an account and I say "Yes".
This is where Google Assistant app makes a call to my
https://webserver.herokuapp.com/google-oauth2endpoint. A purpose of this endpoint is to redirect me to the Google Login Page.Now I'm being redirected to the Google Login Page (everything seems to be correct.
client_idandstateparameters are similar to the constants). This is the example of an URL where I am being redirected to:https://accounts.google.com/o/oauth2/auth?client_id=1067979601708-ldr3ga115es3fdo823slfnj46gjoes66.apps.googleusercontent.com&redirect_uri=http://webserver.herokuapp.com/complete/google-oauth2/&state=manually_set_state_value&response_type=code&scope=openid+email+profileAt the Google Login Page I enter my credentials and then I'm being redirected to the
redirect_uri=http://webserver.herokuapp.com/complete/google-oauth2endpoint. A purpose of this endpoint is to register or login me atwebserver.herokuapp.comand then redirect me to another Google URL. An example of the Google URL:https://oauth-redirect.googleusercontent.com/r/nodejs-sdk-local-test#access_token=<token_omitted>&token_type=bearer&state=manually_set_state_valueSo it seems that everything is correct. I logged in to my
webserver.herokuapp.com, got an access token. Alsoproject_idandstateparameter in the last Google URL are similar to constants. Anyway, this Google URL returns me an error "Accounts failed to link"!
Upvotes: 2
Views: 1996
Answers (1)
Reputation: 50701
The most common cause of this is that you're not passing back the same value for state that was sent to you when Google redirected to your site. Make sure this is the same value and, for your security, make sure you validate the other parameters that are sent to you as well.
When the user is redirected to https://webserver.herokuapp.com/google-oauth2, there should be some parameters sent as part of the query. Those parameters include a state parameter. It should look something like this:
https://myservice.example.com/auth?client_id=GOOGLE_CLIENT_ID&redirect_uri=REDIRECT_URI&state=STATE_STRING&response_type=token
Note that while the client_id and redirect_uri are values that you should expect and test for, the state value is not one that you would have set. Google generates a different one every time. This is the state that you should be using later when you redirect to
https://oauth-redirect.googleusercontent.com/r/nodejs-sdk-local-test#access_token=<token_omitted>&token_type=bearer&state=STATE_STRING
Upvotes: 2
Related Questions
- Got a google AIY Authorization Error while trying to connect to google cloud
- Dialogflow Google Assistant Integration error - "Internal error encountered"
- Account linking Google Assistant
- "MalformedResponse: Failed to parse Dialogflow response into AppResponse because of empty speech response" during OAuth Account Linking flow
- google assistant account linking faliure
- Account links successfully but access token shows invalid - Google OAuth
- Google Assistant - Account linking with Google Sign-In
- Actions on Google Account Linking - Google accounts cannot be used as Auth endpoint urls per our Account Linking policy
- Account Linking API.AI user email scope
- How to create account linking?