How to get user's unique identity from google

2020-03-07 06:16发布

问题:

I want to develop an application(action) on Google Home, which will return some confidential information to user. So, I can't authenticate the user based on account linking as that device can be used by any person in the room. How can I get user's unique identity(may be email id) from voice match profile?

回答1:

Account Linking is tied to the specific user that says "Ok Google" or "Hey Google" to invoke your Action. If the user that says it does not have a registered voice on the device they use (they are an "anonymous" user), then they cannot do Account Linking. This sounds like the level of security you're aiming for and it isn't clear why you think otherwise.

You can get a user's unique identity (with or without Account Linking) by using app.getUser().userId if you're using the node.js library. However, if the user is "anonymously" on a device (no voice registration has been done, or they do not match a registered voice), this identity will change each session because there is no way to determine who the user is.

You cannot get the user's email ID. (And, even if you could, one would hope that it follows similar rules to handling anonymous users above.)

Update to clarify what I mean by an "anonymous" request:

When a user first sets up a Google Home device, they're prompted to register for Voice Match on that device. Registering their voice requires them to say "Ok Google" and "Hey Google" a few times so a voice pattern can be established. Afterwards, these trigger words spoken by this person will have the rest of the statement associated with their Google Assistant account. If they have done Account Linking to your service, their Google Assistant account (which is matched to their voice for the invocation phrase) is linked to your service.

Other users can be permitted to register for Voice Match for a device. This will associate their voice for the invocation phrases with their Google Assistant account. If that user has done Account Linking with your service, then their voice triggering the invocation phrase will have things associated with their linked account.

But what about someone who uses the Home without having setup Voice Match for that device? The invocation phrases still work. They can still invoke your Action. But what Assistant account is associated with it?

Since the specific Home device doesn't know the person invoking it and making the request, this is an "anonymous" user. Anonymous users can't do Account Linking, since there is no Assistant account that is associated with the request. Although there is a userID provided - this ID will change for every conversation since the device has no way to know that the anonymous person making the request this time was the same anonymous person making it last time.

But what happens if the user has setup a Home device, but has not setup Voice Match on it at all? For security reasons, the system has to assume that this is really a shared device and that all requests have to be handled anonymously.

Additional Update

The "anonymous UserID" that is talked about above has been deprecated and will be removed in May 2019.

It is now possible to get the user's email address, assuming they have registered it as part of their Google profile, by using Account Linking with Google Sign-In.

Conceptually, may other parts of the answer remain valid, although some details may have changed.



回答2:

You can use Account Linking for that purpose. If your phone is in locked state, then only the person who's voice will be registered in phone will be able to invoke the google assistant using OK Google. If this type of invocation works for you, then go ahead and read the rest of the post. I've already posted a similar answer here

We have to enable the webhook first and we can see how to enable the webhook in the dialog flow fulfillment docs If we are going to use Google Assistant, then we have to enable the Google Assistant Integration in the integrations first. Then follow the steps mentioned below for the Account Linking in actions on google:-

  1. Go to google cloud console -> APIsand Services -> Credentials -> OAuth 2.0 client IDs -> Web client -> Note the client ID, client secret from there -> Download JSON - from json note down the project id, auth_uri, token_uri -> Authorised Redirect URIs -> White list our app's URL -> in this URL fixed part is https://oauth-redirect.googleusercontent.com/r/ and append the project id in the URL -> Save the changes

  2. Actions on Google -> Account linking setup 1. Grant type = Authorisation code 2. Client info 1. Fill up client id,client secrtet, auth_uri, token_uri 2. Enter the auth uri as https://www.googleapis.com/auth and token_uri as https://www.googleapis.com/token 3. Save and run 4. It will show an error while running on the google assistant, but dont worry 5. Come back to the account linking section in the assistant settings and enter auth_uri as https://accounts.google.com/o/oauth2/auth and token_uri as https://accounts.google.com/o/oauth2/token 6. Put the scopes as https://www.googleapis.com/auth/userinfo.profile and https://www.googleapis.com/auth/userinfo.email and weare good to go. 7. Save the changes.

  3. In the hosting server logs, we can see the access token value and through access token, we can get the details regarding the email address.

  4. Append the access token to this link "https://www.googleapis.com/oauth2/v1/userinfo?access_token=" and we can get the required details in the resulting json page.
  5. accessToken = req.get("originalRequest").get("data").get("user").get("accessToken")
    r = requests.get(link) print("Email Id= " + r.json()["email"]) print("Name= " + r.json()["name"])