Google Assistant Account linking - Authentication with backends

1
votes

I am a Moodle administrator and I would like to connect the Dialogflow chatbot – Google Assistant – Moodle site (Moodle site = backend server = mysite). When a Dialogflow intent asks for private user data from Moodle via a webhook, the intent requires sign in, and the user must be identified on the server. I would like to use the OAuth-based Google Sign-in linking concept.

The implemented services:

  1. The Dialogflow and Moodle are connected via a webhook. Fulfillment – Webhook URL: mysite/client.php. The client.php file is on the Moodle server (backend server). The intent uses webhook and Moodle sends the answer in JSON format.

  2. Google Oauth 2 client was created. URIs: mysite Authorized redirect URIs mysite/callback.php (Google APIs Client Library for PHP - Sign In requires) oauth-redirect.googleusercontent.com/r/DialogflowBotID (DialogflowBot requires) mysite/moodle37/admin/oauth2callback.php (Moodle requires)

  3. The Google Oauth 2 and the Moodle are connected (https://docs.moodle.org/39/en/OAuth_2_Google_service). The OAuth2 Google Cloud service is set in the Moodle, for enabling users to log in to Moodle with Google account. At first, before the chats, the user logs in: the Google authenticates the user, sends user data to the Moodle and the Moodle stores the user’s gmail address in the ‘mdl_auth_oauth2_linked_login’ mysql table. In Google terminology: users’s information exists in the backend server.

  4. The Dialogflow and Google Assistant are connected via Account linking (developers.google.com/assistant/identity/google-sign-in-oauth). Linking type: OAuth & Google Sign In – Implicit Authorization URL: mysite/login.php Token URL: oauth2.googleapis.com/token Google OAuth Client Client ID issued by your Actions to Google help outline: 169222114038 … Client secret: RPF … Client ID issued by Google to your Actions help outline: 169222114038 … Scopes: profile, email [ x] Google to transmit clientID and secret via HTTP basic auth header

The intent invokes the Google Sign In window, the user logs in, the redirect URI: oauth-redirect.googleusercontent.com/r/DialogflowBotID (Before you can use chat, I need to link your chat account to Google. Is that okay? Great, Tamás! Your learning chat account is now linked to Google.)

  1. Google Sign-In for Websites - Authenticate with a backend server (developers.google.com/identity/sign-in/web/backend-auth) The Google API Client Library (github.com/googleapis/google-api-php-client) was installed on the Moodle server. The login.php and callback.php files are in the same directory as the client.php. The mysite/login.php invokes the Google Sign In window (accounts.google.com/signin/oauth ... ) and will be redirected to the mysite/callback.php The callback.php handles the OAuth server response verify the token and contains: user data, email address (same as the email address in Moodle) access_token: ya29.a0 … refresh_token = 1//09M8- … id_token = eyJhbGciOi … The callback.php select the user email address from the backend server database and if (stored backend email = = received token email) establish an authenticated session for the user.

The callback.php file will be redirected to DialogflowBot:

$redirect_url = 'https://oauth-redirect.googleusercontent.com/r/DialogflowBotID#access_token=' . $access_token . '&token_type=bearer&state=' . $STATE_STRING;
header('Location: ' . filter_var($redirect_url, FILTER_SANITIZE_URL));

Actions Console – Test in Simulator: Before you can use learning chat, I need to link your learning chat account to Google. Is that okay? Yes Linked: Great, Tamás! Your learning chat account is now linked to Google.

The 1 2 3 4 5 services work separately.

My questions are:

  1. developers.google.com/assistant/identity/oauth-concept-guide says: After the user logs in and credentials are verified, your service creates a long-lived access token and returns it to Google. How I can create a long-lived access token on my backend server?

  2. After the user verification, how I can redirect the callback.php to the Dialogflow bot? I used this:

    $redirect_url = 'https://oauth-redirect.googleusercontent.com/r/DialogflowBotID#access_token=' . $access_token . '&token_type=bearer&state=' . $STATE_STRING; header('Location: ' . filter_var($redirect_url, FILTER_SANITIZE_URL));

Is this proper?

  1. The client.php provides the JSON webhook response, but does not contain the token and state. The callback.php includes the token and state, but can not answer the webhook. How can I connect the client.php, login.php, callback.php files?

  2. I tried to sign out the user and unlink the account.

    unset($_SESSION["auto"]); unset($_SESSION['accesToken']); $client->revokeToken(accessToken); $client->revokeToken();

How a user unlink the linked account? on phone? or on website?

enter image description here

1
dialogflow-esactions-on-googlegoogle-signin

1 Answers

0
votes

  1. Implementation of long-lived tokens is your implementation. Please be aware of some of these considerations.

  2. Correct. More info, see Handle authorization requests

  3. Not familiar with your implementation. Each request to the server-side will contain the access token. So, this is your implementation.

  4. Also, this your implementation. But essentially, you need a way to track long-lived tokens.