Account linking with Google action sdk, how to get idToken

Account linking with Google action sdk, how to get idToken

Hi,
I’m trying to use Auth0 for authentication for Google account linking in a google action sdk app.
Google actions account-linking
In my Auth0 rule file, I set a context variable

context.accessToken'https://at.mydomain.xyz'] = user.app_metadata.myvar;
context.idToken"https://at.mydomain.xyz"] = user.app_metadata.myvar;

On the Google Action side I was expecting to be able to get the ‘myvar’ from the request/Bearer:

var myvar = (jwt.decode(req.headers.authorization.replace("Bearer ", "")))"https://at.mydomain.xyz"];

However I only get short Bearer () which is not valid jwt.
What am I doing wrong here?
Thanks in advance!

Example

  headers: 
   { 'content-type': 'application/json;charset=UTF-8',
     'google-assistant-api-version': 'v1',
     authorization: 'Bearer 1kypWQBJYGmVwK9P',

I’m not at all familiar with Google Actions SDK, however I can explain the likely cause for the access token you receive from Auth0 to be an opaque access token and not a JWT.

ID tokens will always be JWT’s because the spec mandates it, however, access token can use any format acceptable by the API to which they are meant to be sent to as an authorization mechanism. Currently, Auth0 can issue access tokens that will be suitable to call:

  • only Auth0 provided API’s, in particular, the /userinfo endpoint; in this case the access token format is an implementation detail subject to change, but at this time it’s an opaque access token.
  • only your own defined API’s (aka the custom API’s you create in the APIs section); in this case the access token format currently being used is the JWT one; again, new format can be supported in the future, but you would likely be able to choose which one to use.
  • both your own defined API and also the Auth0 provided /userinfo API; in this case the token will also currently be a JWT that has multiple audiences. Have in mind that this will only apply under specific circumstances like the API using RS256 and the request including the openid scope.

If you perform only a user authentication request according to OpenID Connect you’ll get an opaque access token suitable for /userinfo. If you want an access token suitable to your own defined API then you need to include the audience parameter during the authentication/authorization request. Including the audience will currently mean a JWT access token will be issued and as such the construct context.accessToken'https://example.com'] = user.app_metadata.value; will indeed add a claim to the generated JWT access token.

Finally, an restating my initial introduction, this explain why the opaque access token can be issued, but my lack of knowledge of Google Actions does not allow me to say that addressing this will indeed meet your requirement for you Google Actions use case.

Thank you for the explanation jmangelo! The account linking with GA works after applying your proposed changes.

Thank you for the explanation jmangelo! The account linking with GA works after applying your proposed changes.