Failed to exchange authorization code for Access Token (feacft)

Question

I want to create a chatbot with Dialogflow and Google Assistant along with Google Transactions API for enabling a user to order some items. For now my agent contains the following four intents:

Default Welcome Intent (text response: Hello, do you want to buy a chocolate box?)
Default Fallback Intent
Int3 (training phrase: "Yes, I want to sign in", fulfilment: enabled webhook)
Int4 (event: actions_intent_SIGN_IN, fulfilment: enabled webhook)

I am using Dialogflow Json instead of Node.js to connect my agent with Transactions API. I implemented all the required steps to set up Account Linking for Actions on Google with Auth0 as is it described at posts such as the following ones:

Therefore, now I ask for example the user on the mobile phone Google Assistant during the conversation "Do you want to sign in?" and then the user responds "Yes, I want to sign in" which triggers Int3. In this case, from my back-end through a webhook I am sending the following json:

{
    "payload": {
        "google": {
            "expectUserResponse": true,
            "isSsml": false,
            "noInputPrompts": [],
            "systemIntent": {
                "data": {
                    "@type": "type.googleapis.com/google.actions.v2.SignInValueSpec",
                    "optContext": "To make the order easier"
                },
                "intent": "actions.intent.SIGN_IN"
            }
        }
    }
}

Then this makes the following window to appear on the screen of the user: Log in window

So I am proceeding by pressing LOG IN WITH GOOGLE and by choosing one of my gmail accounts. However, then I am getting the following error on the Google Assistant: Sorry, something went wrong. Please try again later

and also I am getting the following json at my back-end as a response:

{
    "responseId": "c65ab8d3-f6e9-4e86-9645-6785b01d3f10",
    "queryResult": {
        "queryText": "actions_intent_SIGN_IN",
        "action": "sign_in",
        "parameters": {},
        "allRequiredParamsPresent": true,
        "fulfillmentMessages": [
            {
                "text": {
                    "text": [
                        ""
                    ]
                }
            }
        ],
        "outputContexts": [
            {
                "name": "projects/*********/agent/sessions/1527240031183/contexts/actions_capability_screen_output"
            },
            {
                "name": "projects/*********/agent/sessions/1527240031183/contexts/actions_intent_sign_in",
                "parameters": {
                    "SIGN_IN": {
                        "@type": "type.googleapis.com/google.actions.v2.SignInValue",
                        "status": "ERROR"
                    }
                }
            },
            {
                "name": "projects/*********/agent/sessions/1527240031183/contexts/actions_capability_audio_output"
            },
            {
                "name": "projects/*********/agent/sessions/1527240031183/contexts/actions_capability_web_browser"
            },
            {
                "name": "projects/*********/agent/sessions/1527240031183/contexts/actions_capability_media_response_audio"
            }
        ],
        "intent": {
            "name": "projects/*********/agent/intents/75e0bc57-1829-4efe-9e35-dbcaa3da5a77",
            "displayName": "Sign_in"
        },
        "intentDetectionConfidence": 1,
        "diagnosticInfo": {},
        "languageCode": "en-gb"
    },
    "originalDetectIntentRequest": {
        "source": "google",
        "version": "2",
        "payload": {
            "isInSandbox": true,
            "surface": {
                "capabilities": [
                    {
                        "name": "actions.capability.SCREEN_OUTPUT"
                    },
                    {
                        "name": "actions.capability.MEDIA_RESPONSE_AUDIO"
                    },
                    {
                        "name": "actions.capability.WEB_BROWSER"
                    },
                    {
                        "name": "actions.capability.AUDIO_OUTPUT"
                    }
                ]
            },
            "inputs": [
                {
                    "rawInputs": [
                        {}
                    ],
                    "arguments": [
                        {
                            "extension": {
                                "@type": "type.googleapis.com/google.actions.v2.SignInValue",
                                "status": "ERROR"
                            },
                            "name": "SIGN_IN"
                        }
                    ],
                    "intent": "actions.intent.SIGN_IN"
                }
            ],
            "user": {
                "lastSeen": "2018-05-25T09:20:16Z",
                "locale": "en-GB",
                "userId": "*********"
            },
            "conversation": {
                "conversationId": "1527240031183",
                "type": "ACTIVE",
                "conversationToken": "[]"
            },
            "availableSurfaces": [
                {
                    "capabilities": [
                        {
                            "name": "actions.capability.SCREEN_OUTPUT"
                        },
                        {
                            "name": "actions.capability.WEB_BROWSER"
                        },
                        {
                            "name": "actions.capability.AUDIO_OUTPUT"
                        }
                    ]
                }
            ]
        }
    },
    "session": "projects/*********/agent/sessions/1527240031183"
}

which returns "status": "ERROR" for the SignInValue.

On Auth0 logs section, this log-in attempt is described as successful but the exchange is described as failed: The specific log for this particular failed exchange contains the following json:

{
  "date": "2018-05-25T09:20:53.786Z",
  "type": "feacft",
  "description": "Unauthorized",
  "connection_id": "",
  "client_id": "Xsr3VFE***********",
  "client_name": null,
  "ip": "66.249.81.44",
  "user_agent": "OpenAuth",
  "hostname": "*********.eu.auth0.com",
  "user_id": "",
  "user_name": "",
  "log_id": "****************"
}

where feacft stands for Failed to exchange authorization code for Access Token at Auth0.

Although it may be irrelevant, let me note that when:

I manually go to Auth0 -> Connections -> Social -> Google -> TRY
I choose the same Gmail account as above
I press Go to auth0.com (unsafe) at this page: "This is not verified"
I allow auth0.com to access my Google Account

I finally get this: "It works!"

and at the Auth0 logs section I finally get Success Exchange for this.

The specific log for this particular successful exchange contains the following json:

{
  "date": "2018-05-29T08:14:48.843Z",
  "type": "seacft",
  "description": "",
  "connection_id": "",
  "client_id": "EXOtUb****************",
  "client_name": "N/A",
  "ip": "35.160.3.103",
  "user_agent": "Node-oauth",
  "hostname": "**********.eu.auth0.com",
  "user_id": "",
  "user_name": "",
  "log_id": "*****************"
}

However notice that in this latter case (Success Exchange) the client_id is different than in the former case (Failed Exchange). In the Failed Exchange case, the client_id is the one of Auth0 application which I created but in the Success Exchange I do not know what is this client_id; perhaps it is the client_id of one internally installed Auth0 which is used to test the connection between Auth0 and others clients (Google, Facebook etc).

How can I sign in successfully through Google Assistant and get "status": "OK" for the SignInValue?

Am I doing anything wrong so far?

I have found two posts which report the error which I am getting on Auth0 (feacft error):

- https://community.auth0.com/t/uwp-application-triggers-a-feacft-error-log-event-when-using-google-facebook-authentication/6394

- https://github.com/auth0/react-native-auth0/issues/62

Both of them report that they changed their Auth0 apps to Native (e.g. from Machine to Machine) and the error was fixed. However, I tested this and it does not work for me so far.

(I also meant to comment that I *really* appreciate the detailed information you're providing here. We may need more, but you've done a great job at showing the type of info that is commonly asked for to debug this.) — Prisoner, May 25 '18 at 14:32
(Thank you for this. However, in most cases regarding configuration things like the one above, junior software engineers like me are missing something which is pretty obvious for a senior software engineer. Therefore, although my post is so rich eventually its cause of existence may be very poor/trivial...haha) — Outcast, May 25 '18 at 14:47
To make sure I'm following, when you try to auth by phone, you're still getting the same "Failed exchange" error on Auth0 with the same JSON description? — Prisoner, May 25 '18 at 14:59
Yes, all my post (the image etc) is written for the Google Assistant on mobile phone. :) Please also notice the text above the first json image at my post (*Therefore, now I ask for example the user **on the mobile phone Google Assistant** during the conversation "Do you want to sign in?" ...*). — Outcast, May 25 '18 at 15:04

Prisoner · Answer 1 · 2018-05-25T16:06:00.080

1

The "Failed Exchange" log, and the detailed log entry for it, appear to suggest that the issue is when Google is trying to exchange the Auth Code for an Access/Refresh token. (I realize this is literally what "feacft" means, and I'm just repeating it.) Both Google and Auth0 appear to realize this is failing.

A first step in debugging would be to make sure that the Client ID and Client Secret are set exactly the same between the two services. These will be dictated by the Auth0 server.

Some configurations on the Account Linking page in the Action Console have also changed recently and the documentation you linked to probably doesn't reflect them yet. Make sure you have selected "No, I only want to allow account creation on my website" for Account Creation and "OAuth" (not "OAuth & Google Sign In") and "Authorization code" for Linking Type.

You may also wish to validate the server against Google's OAuth implementation, although this seems less likely since you're using Auth0.

edited May 25 '18 at 16:06

answered May 25 '18 at 13:27

Prisoner

49,922
7
53
105

Thank you for your answer @Prisoner. Yes, I have checked these details and I do think that something goes wrong there. The interesting fact is that when I manually go to `Auth0` -> `Connections` -> `Social` -> `Google` -> `TRY` and I choose the same Gmail account (as the one I try to log in at the Google Assistant) then I get `Success Exchange`. Please have a look at my edited/updated above for more details. (Please start to read it at least from the "Jovetest" image and below because I have made various edits from this point and beyond) – Outcast May 25 '18 at 14:10
I'm not sure I'm following with your updates. It sounds like it is working now? If not, can you include the screen shot of your Action Console "Account Setting" screen, the same as I have shown above? (Expand the Account Creation and Linking Type sections, but make sure the Client Information and other sections are closed or masked.) – Prisoner May 25 '18 at 14:35
The summary of my edits is that the `Auth0` authorisation etc does not work when I try to sign in on the Google Assistant (on the mobile phone) but it does seem to work when I go manually to the Auth0 console and I test the authorisation/connection to this Google account. Believe me the `account creation` and the `linking type` details are exactly as it shown at the image at your post. If you want to verify it check out my image at the end of my anew edited post. – Outcast May 25 '18 at 14:42
Got it - just making absolutely sure, thank you. And apologies for missing that the issue was that it wasn't working from mobile. Does it work through the Assistant Simulator? – Prisoner May 25 '18 at 14:45
No worries. I edited my post towards the end to include this summary. At the Google Assistant simulator I am getting this when I try to trigger the `actions.intent.SIGN_IN`: `Simulation on Phone surface does not support account linking provided by native mobile app. Please try on real phone or try Simulator as Speaker.`. – Outcast May 25 '18 at 14:50
I've added a link for another way to test the implementation, but this doesn't seem very likely to expose anything. I'm trying to dig into the problem and see if something else might be going on on Google's side. – Prisoner May 25 '18 at 16:06
Ok, thanks. By the way, do you think that my whole problem has something to do with the fact that *I am doing all this with `Python` and `ngrok` at my local server* as I explicitly write at the end of my post (in order exactly to make the reader of this post to think if this is the problem) – Outcast May 25 '18 at 16:09
No, I think this is not in any way relevant to Python or ngrok. It sounds like the Assistant is trying to authenticate with the Auth0 server, and that authentication is failing. I'm just not sure why it is failing. – Prisoner May 25 '18 at 16:14
Yes I agree now since I tested this right now by uploading my python scripts/app on Heroku and the result was the same. But to be honest, for some minutes I started to think that this may be wrong and how stupid this would be. As for what it is really going on, even if a minor detail may be missing even though all the other things are right and then the whole is blown off. The problem is that it is quite difficult to post every configuration detail here so that it can be reviewed by everyone. – Outcast May 25 '18 at 16:22
By the way, please also keep in mind what I just added to my post: *However let me point out the following about this. In this latter case (`Success Exchange`) the `client_id` is different than in the former case (`Failed Exchange`) when I test it on Google Assistant on mobile phone after I have copied the credentials (Client ID, Client secret, Authorization URL, Token URL) of a specific client/application of `Auth0` to `Account linking` -> `Client information` on `Actions on Google` console.* (P.S. You certainly worth an upvote for your help so far) – Outcast May 25 '18 at 16:35

score 1 · Accepted Answer · answered May 29 '18 at 12:09

Finally I solved this problem even though I do not really exactly know why this is fixed so any additional explanation to my answer is welcome. Please write at the comments below.

On Auth0 the Applications panel is looking like this now:

Thus far I was using the Auth0 Management API (Test Application) application and its credentials on Actions on Google for the task described at my post above. I was experimenting by modifying some of the settings and configuration details of this application but still I was getting the same error.

Then, I thought about simply creating a new application. Both my new applications (New, New2) are working fine on Google Assistant on mobile phone.

Keep in mind that between the Auth0 Management API (Test Application) and the New2 applications all the configuration details and settings, as far as I can see, are the same so I have no idea why the the latter works for mewhile the former does not. I suspected that the former is a test application so it has very limited use but I thought that it is going to work for my project.

P.S. @Prisoner, if you are still around here can you tell me please your opinion about this: https://stackoverflow.com/questions/50408893/how-to-add-the-delivery-address-details-to-the-order-preview? — Outcast, May 29 '18 at 13:16

Failed to exchange authorization code for Access Token (feacft)

2 Answers2