AccessToken expiration for Action-on-Google

I’m using Auth0 for authentication and user management for an Action-on-Google app.
I’m having a problem with the authentication expires after 24 hours. On the Google Action side, the available settings are Grant Type, Client ID, Client Secret, Auth url, Token url and scopes, see attached image actionsongoogle-config.png.
On the Auth0 side I have set the Api 's Token Expiration (Seconds) to 94608000 (not an ideal solution) and I have enabled “Allow Offline Access”. The name of the Api is ‘GoogleAuth’ and the identifier is ‘aog’.
I have tried to to find the issue by using Google OAuth Playground
I enter data in step 1, see screenshot step 1. Not sure what to put in the ‘Authorize API’, but i’ve tried with both ‘GoogleAuth’ and ‘aog’.
After “Exchange authorization code” , I get an accesstoken which expires in 24h, see screenshot step 2 . I was expecting it to have much longer expiry time and there’s no refresh_token either.

Maybe he problem is related to jmangelos answer here , but I don’t understand how and where I can specify the ‘audience’ parameter as explained?

The software is already released, so it is a critical problem, clients must do the account linking every 24h. Any help is highly appreciated!
Thanks in advance

alt text

1 Like

As you mentioned and based on the access token being shown in image the authorization request is not including any audience parameter associated with your own configured API. At this time, if you add your own API then the issued access token will be a JWT (in the future other formats may be supported) and that token is not a JWT.

If I understood the issue correctly and like you hinted the problem is that the OAuth request is not including the proper audience then you may want to try any of the following:

  • where you specify an URL of https://[your_domain] specify instead an URL like https://[your_domain][your_audience]. If the client application initiating the OAuth request honors the specification then it will add the other parameters while maintaining the audience one.
  • configure through your Auth0 Dashboard in the General account settings a Default Audience associated with that API. Have in mind that doing this forces that every request performed without an audience will implicitly use the one provided which may break some existing use cases.

Thank you jmangleo exactly what I needed! I will try your suggestions and write back when I know more! Thx again!

It seems the only options is to set the Default Audience in the case of a Google Action.
In fact I had the audience parameter in the url just as you explained, but a few months ago it was refused by Google certification. A lot of water flowed under the bridge since and I completely forgot it.
The default should work for now as all my other client supports audience parameter.
What is your advice - is it a reasonable request that Google supports the audience parameter?
![alt text][1]

Thank you jmangleo exactly what I needed! I will try your suggestions and write back when I know more! Thx again!

Per spec if you accept an URL that represents the authorization endpoint than you should accept a query component with existing parameters and retain them when adding more. The scenario you have seems like would fall on this scenario so I don’t see why Google rejects it; having said that they may not be advertising full compliance to the spec so it’s their choice.

The (authorization) endpoint URI MAY include an “application/x-www-form-urlencoded” formatted query component, which MUST be retained when adding additional query parameters.

If I were you I would contact them and possibly link to that section, at least, you may get an explanation even if the situation by itself does change.

Thank you for the clarification.

Thank you for the clarification.