All geek questions in one place

Google Home app cannot work OAUTH

We are building a smart home application using google actions for google home. Our application requires a login to our system in order to have access to user devices so that they can control them using their voice on top of the Google home. Our custom backend is built using AWS Cognito. We use the API.AI as part of the Google Home application.

I configured the Cognito OAUTH2 endpoint and actions in the google application to work with each other using an authentication code stream and a different scope, but there is something that I cannot see. When I try to link a user account to the Google Home app, I am redirected to our login page. After filling in the user’s details, I will return to the “Home” tab of Google Home, but there is a message at the bottom that says: “Invalid response from IdP in Exchange Aut Exchange”.

I also tried this using the Google OAUTH2 Playground. It seems that when using this, I can get the code from our OATUH server, but when I try to exchange the code for the token, I get the following error:

HTTP/1.1 400 Bad Request Strict-transport-security: max-age=31536000 ; includeSubDomains X-content-type-options: nosniff X-application-context: application:prod:8443 Transfer-encoding: chunked Set-cookie: XSRF-TOKEN=35f58337-76f4-4993-a0c9-93429134ea42; Path=/; Secure; HttpOnly Expires: 0 Server: Server Connection: keep-alive X-amz-request-id: 284d862e-b021-4079-b5f5-3cbce675983c X-xss-protection: 1; mode=block Pragma: no-cache Cache-control: no-cache, no-store, max-age=0, must-revalidate Date: Wed, 23 Aug 2017 13:51:42 GMT X-frame-options: DENY Content-type: application/json;charset=UTF-8 { "error": "invalid_client" }

I checked and double-checked the client ID and client secret, etc. and I can not find any errors.

Does anyone know how I can solve this problem?

Thank you in advance

+5
source share
1 answer

ok maybe i know the reason ..... if you use aws know ... According to this document ( http://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html )

Authorization If a secret has been provided to the client, the client must pass its client_id and client_secret into the authorization header through Basic HTTP authorization. The secret is Basic Base64Encode (client_id: client_secret).

they need to place the client and client section in the header ...

Then I use aws http proxy, caught google progress request.

 Method request headers: {X-Cloud-Trace-Context=d7b6b9b8239965baf69acab659e80a01/13879251242019662389, CloudFront-Viewer-Country=US, CloudFront-Forwarded-Proto=https, CloudFront-Is-Tablet-Viewer=false, CloudFront-Is-Mobile-Viewer=false, User-Agent=google-oauth-playground AppEngine-Google; (+http://code.google.com/appengine; appid: s~oauth2playground), X-Forwarded-Proto=https, CloudFront-Is-SmartTV-Viewer=false, Host=en75z5h2rb.execute-api.us-east-1.amazonaws.com, Accept-Encoding=gzip, deflate, X-Forwarded-Port=443, X-Amzn-Trace-Id=Root=1-5a0fcef2-09197cd86a625ad47d78f0b7, Via=1.1 d63a8908759a2f4775b3f672ebf823cc.cloudfront.net (CloudFront), X-Amz-Cf-Id=nFdLK97vAS5HvmpNYkPpbUMOB4bCaM6pScHWTAReAnonLg1gXF7hSg==, X-Forwarded-For=107.178.195.199, 54.182.238.53, content-type=application/x-www-form-urlencoded, CloudFront-Is-Desktop-Viewer=true}

there is no authorization in the request header. so Cognito will go back

"error": "invalid_client"

And in accordance with this OAUTH2.0 specification ... https://tools.ietf.org/html/rfc6749#section-2.3.1

I already ask for aws support. They said.

* Thank you for contacting AWS for support and providing us with detailed links. I would be happy to help you with the issue that Cognito supports client credentials in the request body.

After reading the OAUTH2.0 RFC 6749 [0] standards, it seems that including client credentials in the request body is not recommended. Here is an excerpt from the specification:

"Including client credentials in the request body using two parameters is not recommended and should be limited to clients who cannot directly use the basic HTTP authentication scheme (or other password-based HTTP authentication schemes)." *

0
source

Source: https://habr.com/ru/post/1271158/

More articles:


All Articles