OAuth Implicit flow Access Token expires every hour

Question

I'm having a problem with the OAuth Implicit flow for the Google Assistant. I managed to set up a OAuth server and got it to work. Here's the flow:

The user Is redirected to my endpoint, authenticates with a Google account, and gets send back to the Assistant with an Acces Token and result code=SUCCES.

In my fullfilment I get the users email address by doing a https request to: https://www.googleapis.com/plus/v1/people/me?access_token=access_token.

I then find the matching user in my database and add the acces token to the database for this user.

The next time the user logs in I check the acces token and greet the user by their name.

Now the problem is that this is the Implict flow which according to the documentation should have an access token that never expires:

Note: Google requires that access tokens issued using the implicit flow never expire, so you don't need to record the grant time of an access token, as you would with other OAuth 2.0 flows.

But the Assistant forces me to re-authenticate every hour, meaning the access token did expire.

My question is: Is this flow correct or am I missing something? Is there something I've done wrong in my OAuth endpoint?

I based my endpoint on https://developers.google.com/identity/protocols/OAuth2UserAgent.

<html>

  <head>
    <script src="https://apis.google.com/js/platform.js" async defer></script>
    <meta name="google-signin-client_id" content="CLIENT_ID">
  </head>

  <body>
    <script>
      var YOUR_CLIENT_ID = 'CLIENT_ID';

    function oauth2SignIn() {
        // Google's OAuth 2.0 endpoint for requesting an access token
        var oauth2Endpoint = 'https://accounts.google.com/o/oauth2/v2/auth';

        // Create element to open OAuth 2.0 endpoint in new window.
        var form = document.createElement('form');
        form.setAttribute('method', 'GET'); // Send as a GET request.
        form.setAttribute('action', oauth2Endpoint);

        //Get the state and redirect_uri parameters from the request
        var searchParams = new URLSearchParams(window.location.search);
        var state = searchParams.get("state");
        var redirect_uri = searchParams.get("redirect_uri");
        //var client_id = searchParams.get("client_id");

        // Parameters to pass to OAuth 2.0 endpoint.
        var params = {
          'client_id': YOUR_CLIENT_ID,
          'redirect_uri': redirect_uri,
          'scope': 'email',
          'state': state,
          'response_type': 'token',
          'include_granted_scopes': 'true'
        };

        // Add form parameters as hidden input values.
        for (var p in params) {
          var input = document.createElement('input');
          input.setAttribute('type', 'hidden');
          input.setAttribute('name', p);
          input.setAttribute('value', params[p]);
          form.appendChild(input);
        }

        // Add form to page and submit it to open the OAuth 2.0 endpoint.
        document.body.appendChild(form);
        form.submit();
      }
  oauth2SignIn();
    </script>
  </body>

  </html>

Answer 1

It sounds like what you are doing is having the user log into your page, and using this to get an auth token from a Google service. You're then turning this around and passing this back to the Assistant and calling this the Identity Flow.

While clever - this isn't the Identity Flow.

This is you using the Auth Code Flow to authenticate the user with Google, and then returning this token to Google and pretending this is an Identity Flow token. However, since you're using the Auth Code Flow, the auth tokens that you get back expire after an hour. (You can check out the lifetime in the information you get back from Google.)

If you are trying to do Account Linking and not manage anything yourself, you need to actually implement an OAuth server that proxies the Auth Code Flow requests from the Assistant to Google and the replies from Google back to the Assistant. While doable, this may be in violation of their policy, and isn't generally advised anyway.

Update to address some questions/issues in your comment.

using the Google Auth endpoints doesn't store the session either, so you'd still have to re-authenticate every hour

Since the Google Auth endpoints use the Auth Code Flow, you can use the offline mode to request a refresh token. Then, when an auth token expires, you can use the refresh token to get a new auth token. So you still have a long-term authorization for access and can get the short-term token to do the work you need.

Trying to shoehorn this into the Identity Flow, however, doesn't work. (And would be a really bad idea, even if it did.)

Can you provide some clarification on how to create an endpoint for the implicit flow?

Beyond the step-by-step description of what your OAuth server code can do in the Assistant documentation, I'm not sure what clarification you need. Your OAuth server fundamentally just needs to:

• Be able to have a user:
  • Connect to an HTTPS URL
  • Authenticate themselves
  • Authorize the Assistant to contact your service on their behalf
• Return a code by redirecting the user to Google's URL with a code in the parameter

And the Action webhook needs to be able to:

• Accept this code as part of the request from the Assistant and
• Figure out who the user is from this code. (ie - map the code to a user account in your system.)

There are a variety of ways you can do all of that. The OAuth server and Action could be on the same server or separate, but they at least need to have some agreement about what that code is and how that maps to your user accounts.

If your primary need is to access Google APIs on behalf of your user - then the user account that you have will likely store the OAuth tokens that you use to access Google's server. But you should logically think of that as separate from the code that the Assistant uses to access your server.

(As an aside - those steps are for the Identity Flow. The Auth Code Flow has a few more steps, but the fundamentals are similar. Especially on the Action side.)