Google Home App, cannot get OAUTH working properly

5
votes

We are building a smart home app using actions on google for the google home. Our app requires signing into our system to be able to access the users devices so they can control them using their voice over google home. Our user backend is built using AWS Cognito. We are using API.AI as part of the Google Home app.

I have configured the Cognito OAUTH2 endpoint and the actions on google app to work with each other using the auth code flow and varying scope's but there is something I am missing. When I attempt to link the user account to the Google Home app i get redirected to our login page. After filling out the user details I'm returned to the Google Home 'Discover' tab but there is a message across the bottom that states: ‘Bad response from IdP in Auth Code Exchange’.

I also have tried it using Google's OAUTH2 playground. It seems that when using that I am able to get the code from our OATUH server, but when trying to exchange the code for a token i get the following error:

HTTP/1.1 400 Bad Request
Strict-transport-security: max-age=31536000 ; includeSubDomains
X-content-type-options: nosniff
X-application-context: application:prod:8443
Transfer-encoding: chunked
Set-cookie: XSRF-TOKEN=35f58337-76f4-4993-a0c9-93429134ea42; Path=/; Secure; HttpOnly
Expires: 0
Server: Server
Connection: keep-alive
X-amz-request-id: 284d862e-b021-4079-b5f5-3cbce675983c
X-xss-protection: 1; mode=block
Pragma: no-cache
Cache-control: no-cache, no-store, max-age=0, must-revalidate
Date: Wed, 23 Aug 2017 13:51:42 GMT
X-frame-options: DENY
Content-type: application/json;charset=UTF-8
{
  "error": "invalid_client"
}

I have checked and rechecked the client ID and client secret etc and cannot find any errors.

Does anyone have any idea how I might fix this problem?

Thanks in advance

1
oauth-2.0actions-on-googlegoogle-home
I'm having a similar issue, via the OAuth2 Playground everything works fine, I get the AUTH token and then exchange this for an ACCESS token and I can then submit requests to my app and it all works fine. When I try to use it via the simulator I get redirected to blank page with a chance to re-run the flow. If i try on my app it just doesn't authenticate properlyGaz
@Gazeth When you say 'If i try on my app' are you referring to your Google Home 'app' inside the Google home app on your phone or actually in your phone app?HumanTarget
I mean my trying in the google home app. I type "Talk to CMAP" and it gives me the card to link accounts which I click, fill in my login details but the auth never goes through properlyGaz
When you run it in the google home app is there an error message displayed along the bottom? There should be a grey bar along the bottom with some sort of error message in it if it didn't work properly. Also, can I ask what kind of app you are writing? Is it for a smart home device? a pure conversational app?HumanTarget
Don't get any msg, the app is connecting to our SAAS product to enable the user to ask questions about their schedule and project statusGaz

1 Answers

1
votes

ok,may be i know the reason.....If you use aws cognito ... According to this doc (http://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html)

Authorization If the client was issued a secret, the client must pass its client_id and client_secret in the authorization header through Basic HTTP authorization. The secret is Basic Base64Encode(client_id:client_secret).

they need put client and client sectet in header ...

Then I use aws http proxy caught the request of google progress .

Method request headers: {X-Cloud-Trace-Context=d7b6b9b8239965baf69acab659e80a01/13879251242019662389, CloudFront-Viewer-Country=US, CloudFront-Forwarded-Proto=https, CloudFront-Is-Tablet-Viewer=false, CloudFront-Is-Mobile-Viewer=false, User-Agent=google-oauth-playground AppEngine-Google; (+http://code.google.com/appengine; appid: s~oauth2playground), X-Forwarded-Proto=https, CloudFront-Is-SmartTV-Viewer=false, Host=en75z5h2rb.execute-api.us-east-1.amazonaws.com, Accept-Encoding=gzip, deflate, X-Forwarded-Port=443, X-Amzn-Trace-Id=Root=1-5a0fcef2-09197cd86a625ad47d78f0b7, Via=1.1 d63a8908759a2f4775b3f672ebf823cc.cloudfront.net (CloudFront), X-Amz-Cf-Id=nFdLK97vAS5HvmpNYkPpbUMOB4bCaM6pScHWTAReAnonLg1gXF7hSg==, X-Forwarded-For=107.178.195.199, 54.182.238.53, content-type=application/x-www-form-urlencoded, CloudFront-Is-Desktop-Viewer=true}

There are no Authorization in request header. So the Cognito will return back 

"error": "invalid_client"

According this OAUTH2.0 spec (https://tools.ietf.org/html/rfc6749#section-2.3.1)

I have already ask AWS support. They said:

Thanks for contacting AWS Support and providing us with detailed references. I would be happy to assist with your question regarding Cognito supporting client credentials in the request-body.

After reading through the OAUTH2.0 Standards RFC 6749 [0], It looks like including the client credentials in the request-body is not recommended. Here's an excerpt on the spec:

"Including the client credentials in the request-body using the two parameters is not recommended and should be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes)."