Error Occurred During Logon Try Logging in Again Failed to Refresh Access Token

The OAuth-based Google Sign-in "Streamlined" linking type adds Google Sign-In on tiptop of OAuth-based account linking. This provides seamless phonation-based linking for Google users while also enabling account linking for users who registered to your service with a non-Google identity.

This linking type begins with Google Sign-In, which allows y'all to bank check if the user's Google profile information exists in your arrangement. If the user's information isn't found in your system, a standard OAuth flow begins. The user tin also choose to create a new account with their Google contour information.

Effigy 1: After your Activity gets access to the user's Google profile, you can utilise it to find a match for the user in your authentication system.

To perform business relationship linking with the Streamlined linking type, follow these general steps:

1. First, ask the user to give consent to admission their Google profile.
2. Apply the information in their contour to identify the user.
3. If yous tin't find a friction match for the Google user in your authentication arrangement, the menses proceeds depending on whether y'all configured your Actions project in the Actions console to allow user account creation via voice or simply on your website.
   • If you allow account creation via voice, validate the ID token received from Google. You tin then create a user based on the profile data independent in the ID token.
   • If you don't permit business relationship cosmos via vox, the user is transferred to a browser where they tin load your authorization page and complete the user creation menstruum.

Figure ii. A visual representation of the OAuth and Google Sign-In catamenia when a user's information is not found in your system.

Support account creation via voice

If yous allow user business relationship creation via phonation, Assistant asks the user whether they want to do the post-obit:

• Create a new account on your arrangement using their Google business relationship information, or
• Sign in to your hallmark organisation with a different business relationship if they have an existing not-Google account.

Allowing business relationship creation via vocalization is recommended if yous want to minimize the friction of the business relationship creation flow. The user but needs to exit the vocalism menstruation if they want to sign in using an existing non-Google account.

Disallow business relationship cosmos via voice

If you disallowed user account cosmos via voice, Banana opens the URL to the web site that you lot provided for user authentication. If the interaction is happening on a device that doesn't accept a screen, Assistant directs the user to a phone to continue the account linking flow.

Disallowing creation is recommended if:

• You do non want to let users that accept non-Google accounts to create a new user business relationship and desire them to link to their existing user accounts in your hallmark system instead. For example, if you lot offer a loyalty plan, y'all might want to brand sure that the user doesn't lose the points accrued on their existing account.

• You demand to accept full command of the account cosmos period. For instance, you could disallow creation if you need to show your terms of service to the user during account creation.

Implement OAuth-based Google Sign-in "Streamlined" linking

Accounts are linked with manufacture standard OAuth 2.0 flows. Actions on Google supports the implicit and authorization code flows.

In the implicit code flow, Google opens your authorization endpoint in the user'south browser. After successful sign in, you return a long-lived access token to Google. This access token is at present included in every asking sent from the Banana to your Action.

In the authorization lawmaking menstruation, you lot demand 2 endpoints:

• The authorization endpoint, which is responsible for presenting the sign-in UI to your users that aren't already signed in and recording consent to the requested admission in the course of a short-lived say-so lawmaking.
• The token substitution endpoint, which is responsible for two types of exchanges:
  1. Exchanges an say-so code for a long-lived refresh token and a brusque-lived access token. This commutation happens when the user goes through the account linking flow.
  2. Exchanges a long-lived refresh token for a short-lived admission token. This commutation happens when Google needs a new access token because the one it had expired.

Although the implicit code catamenia is simpler to implement, Google recommends that access tokens issued using the implicit flow never expire, because using token expiration with the implicit flow forces the user to link their business relationship again. If yous need token expiration for security reasons, you should strongly consider using the auth code flow instead.

Configure the project

To configure your projection to use Streamlined linking, follow these steps:

1. Open the Deportment console and select the project yous want to use.
2. Click on the Develop tab and choose Business relationship linking.
3. Enable the switch next to Account linking.
4. In the Account creation section, select Yes.

5. In Linking blazon, select OAuth & Google Sign In and Implicit.

   

6. In Client Information, do the following:

   • Assign a value to Client ID issued past your Deportment to Google to identify requests coming from Google.
   • Insert the URLs for your Authorization and Token Exchange endpoints.

7. Click Save.

Implement your OAuth server

To support the OAuth 2.0 implicit flow, your service makes an authorization endpoint available past HTTPS. This endpoint is responsible for authenticating and obtaining consent from users for data access. The authorisation endpoint presents a sign-in UI to your users that aren't already signed in and records consent to the requested access.

When your Action needs to call i of your service's authorized APIs, Google uses this endpoint to get permission from your users to call these APIs on their behalf.

A typical OAuth 2.0 implicit flow session initiated past Google has the following menstruation:

1. Google opens your authorization endpoint in the user'southward browser. The user signs in if not signed in already, and grants Google permission to access their information with your API if they oasis't already granted permission.
2. Your service creates an access token and returns information technology to Google by redirecting the user'southward browser dorsum to Google with the access token attached to the asking.
3. Google calls your service'due south APIs, and attaches the access token with each asking. Your service verifies that the admission token grants Google authorization to access the API and then completes the API call.

When your Activity needs to perform business relationship linking via an OAuth 2.0 implicit period, Google sends the user to your authorisation endpoint with a request that includes the following parameters:

Dominance endpoint parameters
client_id	The client ID you assigned to Google.
redirect_uri	The URL to which you transport the response to this asking.
state	A bookkeeping value that is passed dorsum to Google unchanged in the redirect URI.
response_type	The type of value to render in the response. For the OAuth ii.0 implicit flow, the response type is always token.

For example, if your authorization endpoint is available at https://myservice.example.com/auth, a request might look like:

Become https://myservice.example.com/auth?client_id=GOOGLE_CLIENT_ID&redirect_uri=REDIRECT_URI&state=STATE_STRING&response_type=token

For your authorization endpoint to handle sign-in requests, do the following steps:

1. Verify the client_id and redirect_uri values to prevent granting access to unintended or misconfigured client apps:

   • Ostend that the client_id matches the customer ID y'all assigned to Google.
   • Confirm that the URL specified by the redirect_uri parameter has the following form:

     https://oauth-redirect.googleusercontent.com/r/YOUR_PROJECT_ID                

     YOUR_PROJECT_ID is the ID found on the Project settings page of the Actions Console.

2. Cheque if the user is signed in to your service. If the user isn't signed in, complete your service's sign-in or sign-up flow.

3. Generate an access token that Google will use to admission your API. The access token tin can be any string value, but it must uniquely correspond the user and the client the token is for and must not be guessable.

4. Send an HTTP response that redirects the user'due south browser to the URL specified by the redirect_uri parameter. Include all of the following parameters in the URL fragment:

   • access_token: the admission token y'all simply generated
   • token_type: the string bearer
   • state: the unmodified state value from the original asking The post-obit is an example of the resulting URL:

     https://oauth-redirect.googleusercontent.com/r/YOUR_PROJECT_ID#access_token=ACCESS_TOKEN&token_type=bearer&land=STATE_STRING                

Google's OAuth 2.0 redirect handler will receive the access token and ostend that the state value hasn't changed. After Google has obtained an access token for your service, Google volition adhere the token to subsequent calls to your Activeness as part of the AppRequest.

Handle automatic linking

Later on the user gives your Action consent to access their Google profile, Google sends a request that contains a signed assertion of the Google user's identity. The assertion contains information that includes the user's Google Account ID, name, and email accost. The token exchange endpoint configured for your project handles that request.

If the corresponding Google business relationship is already nowadays in your authentication system, your token exchange endpoint returns a token for the user. If the Google business relationship doesn't friction match an existing user, your token exchange endpoint returns a user_not_found error.

The request has the following class:

POST /token HTTP/1.i Host: oauth2.instance.com Content-Type: application/x-www-class-urlencoded  grant_type=urn:ietf:params:oauth:grant-blazon:jwt-bearer&intent=get&assertion=JWT&consent_code=CONSENT_CODE&scope=SCOPES        

Your token exchange endpoint must exist able to handle the following parameters:

Token endpoint parameters
grant_type	The type of token being exchanged. For these requests, this parameter has the value urn:ietf:params:oauth:grant-type:jwt-bearer.
intent	For these requests, the value of this parameter is `get`.
assertion	A JSON Web Token (JWT) that provides a signed assertion of the Google user's identity. The JWT contains information that includes the user's Google Account ID, proper noun, and e-mail address.
consent_code	Optional: When present, a one-time code that indicates that the user has granted consent for your Action to admission the specified scopes.
telescopic	Optional: Whatsoever scopes y'all configured Google to request from users.

When your token exchange endpoint receives the linking request, it should do the following:

Validate and decode the JWT exclamation

You can validate and decode the JWT assertion by using a JWT-decoding library for your language. Use Google's public keys (available in JWK or PEM format) to verify the token's signature.

When decoded, the JWT assertion looks like the following example:

{   "sub": 1234567890,        // The unique ID of the user's Google Account   "iss": "https://accounts.google.com",        // The assertion's issuer   "aud": "123-abc.apps.googleusercontent.com", // Your server'southward client ID   "iat": 233366400,         // Unix timestamp of the assertion's creation time   "exp": 233370000,         // Unix timestamp of the exclamation's expiration time   "name": "Jan Jansen",   "given_name": "Jan",   "family_name": "Jansen",   "email": "jan@gmail.com", // If present, the user's electronic mail accost   "locale": "en_US" }        

In addition to verifying the token's signature, verify that the assertion's issuer (iss field) is https://accounts.google.com and that the audience (aud field) is the customer ID assigned to your Activity.

Check if the Google account is already present in your authentication arrangement

Bank check whether either of the following conditions are true:

• The Google Account ID, found in the assertion's sub field, is in your user database.
• The electronic mail address in the assertion matches a user in your user database.

If either status is true, the user has already signed upwardly and you can result an admission token.

If neither the Google Account ID nor the email address specified in the exclamation matches a user in your database, the user hasn't signed up yet. In this case, your token commutation endpoint should reply with a HTTP 401 fault, that specifies error=user_not_found, as in the following example:

HTTP/1.1 401 Unauthorized Content-Type: application/json;charset=UTF-viii  {   "error":"user_not_found", }        

When Google receives the 401 error response with a user_not_found fault, Google calls your token exchange endpoint with the value of the intent parameter set to create and sending an ID token that contains the user'due south profile information with the request.

Handle account creation via Google Sign-In

When a user needs to create an account on your service, Google makes a request to your token exchange endpoint that specifies intent=create, as in the following case:

POST /token HTTP/i.1 Host: oauth2.example.com Content-Type: application/10-www-form-urlencoded  response_type=token&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&telescopic=SCOPES&intent=create&consent_code=CONSENT_CODE&exclamation=JWT[&NEW_ACCOUNT_INFO]        

The assertion parameter contains A JSON Spider web Token (JWT) that provides a signed assertion of the Google user's identity. The JWT contains information that includes the user'southward Google Account ID, proper name, and e-mail accost, which you can utilize to create a new account on your service.

To respond to business relationship creation requests, your token exchange endpoint must do the post-obit:

Validate and decode the JWT assertion

You can validate and decode the JWT assertion by using a JWT-decoding library for your language. Use Google's public keys (available in JWK or PEM format) to verify the token's signature.

When decoded, the JWT assertion looks like the following example:

{   "sub": 1234567890,        // The unique ID of the user'due south Google Business relationship   "iss": "https://accounts.google.com",        // The exclamation's issuer   "aud": "123-abc.apps.googleusercontent.com", // Your server'due south client ID   "iat": 233366400,         // Unix timestamp of the assertion's creation time   "exp": 233370000,         // Unix timestamp of the assertion'southward expiration time   "name": "Jan Jansen",   "given_name": "Jan",   "family_name": "Jansen",   "e-mail": "jan@gmail.com", // If present, the user'southward e-mail address   "locale": "en_US" }        

In addition to verifying the token's signature, verify that the assertion's issuer (iss field) is https://accounts.google.com and that the audition (aud field) is the customer ID assigned to your Action.

Validate user information and create new account

Check whether either of the following conditions are truthful:

• The Google Account ID, found in the assertion'south sub field, is in your user database.
• The e-mail address in the assertion matches a user in your user database.

If either condition is true, prompt the user to link their existing account with their Google Business relationship by responding to the request with an HTTP 401 error, specifying error=linking_error and the user's email accost as the login_hint, equally in the following instance:

HTTP/1.ane 401 Unauthorized Content-Blazon: application/json;charset=UTF-eight  {   "error":"linking_error",   "login_hint":"foo@bar.com" }        

If neither status is true, create a new user account using the data provided in the JWT. New accounts do not typically have a password prepare. It is recommended that y'all add Google Sign In to other platforms to enable users to log in via Google beyond the surfaces of your awarding. Alternatively, you can email the user a link that starts your countersign recovery flow to let the user to set a countersign for signing in on other platforms.

When the creation is completed, issue an access token and return the values in a JSON object in the body of your HTTPS response, like in the following example:

{   "token_type": "Bearer",   "access_token": "ACCESS_TOKEN",      "expires_in":          SECONDS_TO_EXPIRATION          }        

Design the voice user interface for the authentication menstruation

Cheque if the user is verified and outset the account linking flow

1. Open your Deportment Builder project in the Actions Panel.
2. Create a new scene to start account linking in your Action:
   1. Click Scenes.
   2. Click the add together (+) icon to add a new scene.
3. In the newly created scene, click the add icon for Weather.
4. Add a condition that checks if the user associated with the chat is a a verified user. If the check fails, your Action tin can't perform business relationship linking during the chat, and should autumn back to providing access to functionality that doesn't require account linking.
   1. In the Enter new expression field under Condition, enter the post-obit logic: user.verificationStatus != "VERIFIED"
   2. Under Transition, select a scene that doesn't require account linking or a scene that is the entry betoken to invitee-but functionality.

1. Click the add icon for Weather condition.
2. Add a condition to trigger an account linking flow if the user doesn't have an associated identity.
   1. In the Enter new expression field nether Condition, enter the following logic:: user.verificationStatus == "VERIFIED"
   2. Under Transition, select the Account Linking arrangement scene.
   3. Click Salve.

Afterward saving, a new account linking system scene chosen <SceneName>_AccountLinking is added to your projection.

Customize the account linking scene

1. Nether Scenes, select the business relationship linking system scene.
2. Click Send prompt and add together a short sentence to draw to the user why the Activeness needs to admission their identity (for case "To save your preferences").
3. Click Save.

1. Under Conditions, click If user successfully completes account linking.
2. Configure how the flow should proceed if the user agrees to link their business relationship. For instance, call the webhook to procedure any custom business logic required and transition back to the originating scene.
3. Click Salvage.

1. Under Conditions, click If user cancels or dismisses account linking.
2. Configure how the catamenia should proceed if the user doesn't agree to link their business relationship. For example, ship an acknowledging message and redirect to scenes that provide functionality that doesn't require account linking.
3. Click Salvage.

1. Under Conditions, click If system or network fault occurs.
2. Configure how the menstruum should go on if the business relationship linking catamenia can't be completed because of system or network errors. For example, send an acknowledging message and redirect to scenes that provide functionality that doesn't crave account linking.
3. Click Salve.

Handle data access requests

If the Assistant asking contains an access token, bank check first that the access token is valid and not expired and so retrieve from your user account database the user account associated with the token.

martinezforseir.blogspot.com

Source: https://developers.google.com/assistant/identity/google-sign-in-oauth