I am a student working on a NLP app for the Google Home for my senior design project. I am wondering specifically:
- What is the correct way to implement Google Account Linking and what does Google Account linking provide for registering/authenticating users via Dialogflow (i.e. what the dataflow looks like from initial query to Google logging in, back to Dialogflow, then to my ASP.NET Core API handler).
- Does Account Linking return a bearer token in the header back to Dialogflow and thus, back to my handler? Or do I have to parse the originalRequest JSON object to get the user information then validate it against the identity provider?
- How can I get the user’s information from the Dialogflow request in my webhook (ASP.NET Core API)? Do I have to parse the originalRequest JSON object to get the user info? From my understanding, and from this awesome tutorial, the HttpContext should be populated after verifying the JWT token. What is still unclear, is how to get the token from Dialogflow and Google Account linking.
I appreciate any help or guidance you can provide for implementing user authentication/authorization from Dialogflow to my .NET webhook.
Lots of questions. Let's take them one by one and try to clear up some things.
What is the correct way to implement Google Account Linking [between the Google Assistant and my system]?
First - you need to understand what Account Linking is.
It lets you provide a way for you to authorize a user access to your services. Google uses this to connect a Google Assistant account to an account on your system.
Since this is against your system, the "correct way" depends on your infrastructure. But in general - it means that you'll be issuing OAuth tokens for Google to use and hand back to your webhook. Details for what is expected are in the Actions on Google documentation.
To be clear - you need to be an OAuth server.
What does Google Account linking provide for registering/authenticating users via Dialogflow?
Nothing.
Well, mostly nothing.
All it will do is hand the user off to your OAuth authorization endpoint if it does not already have authorization for that user. It expects you to hand back tokens that it will use.
Does Account Linking return a bearer token in the header back to Dialogflow and thus, back to my handler? Or do I have to parse the originalRequest JSON object...
The auth token (which you have issued, because you're the OAuth server) will be sent in the JSON object at originalRequest.data.user.accessToken.
...to get the user information then validate it against the identity provider?
You are responsible for validating that the access token is one that you issued and is still valid and then... doing whatever you want with it. One assumes that you'll use it to figure out who the user is, however. How you do that (looking it up in a table, passing it to another service, getting the info out of a JWT, etc) is entirely up to you and how you've implemented the OAuth service and what the format of the token is.
How can I get the user's information from the Dialogflow request?
It depends what "user information" you're expecting. By default, Actions on Google and Dialogflow won't give you any information unless you ask for it - and you don't ask for it via Account Linking. You ask for it via using the Actions on Google permission system. But even the permission system won't give you information you may want (most people want email address - which you can't request).
If you want to do it via account linking - you need to request that information when you setup their account.
Do I have to parse the originalRequest JSON object to get the user info?
If you are using permissions, then yes.
If you're not, then while you can parse the JSON to get whatever is sent (the anonymous user ID), it won't just give you information from their Google Assistant account.
Account linking isn't about getting access to their Actions on Google account - it is about getting access to the account in your system when they access your service via the Google Assistant.
HttpContext should be populated after verifying the JWT token
That article talks about using Firebase Authentication as the OAuth server and how to handle it as a client.
Actions on Google turns this around. You need to be the server. It is the client.
It is certainly possible to build a server that uses Firebase Authentication to authenticate users if that is what you wish to do, and to issue JWT tokens as your bearer tokens, but neither of those are requirements.
