redirect_uri_mismatch when OAuth2 account linking from Google Home Simulator

Question

I am developing an account linking integration for an "Actions on Google" integration with API.AI for use with Google Home. When I test this agent in the simulator (https://developers.google.com/actions/tools/web-simulator)

As expected, this is my response:

{
    "response": "It looks like your conference manager account is not linked yet. You can link conference manager to your Google Account from the Google Home app.",
    "audioResponse": "//NExAARC..."content_copy,
    "debugInfo": {
        "sharedDebugInfo": [
            {
                "name": "Account Linking Url",
                "debugInfo": "https://assistant.google.com/services/auth/handoffs/auth/start?provider={project-id}_dev&return_url=https://www.google.com/"
            }
        ]
    }
}

However, when I follow the

res.debugInfo.sharedDebugInfo[0].debugInfo

link, I get the standard redirect_uri_mismatch error page, with the details:

The redirect URI in the request, https://oauth-redirect.googleusercontent.com/r/my-project-id, does not match the ones authorized for the OAuth client. Visit https://console.developers.google.com/apis/credentials/oauthclient/my-client-id?project=my-client-id to update the authorized redirect URIs.

It's of course not possible to add the googleusercontent domain to the redirects, and this isn't the redirect I have specified in my API.AI Actions on Google intergration.

On the API.AI side my Auth Url is the standard Google one: https://accounts.google.com/o/oauth2/v2/auth

and my token URL is: https://myendpoint.com/google-home-token-endpoint with the Scopes filled in as calendar

On the google developer console, I have the token URL set to the same as in API.AI, and the project id/client id the same as reference in the requests.

Is this a known issue? Additional debugging efforts I can try?

Answer 1

See Leon's comment on my original question.

It is not currently possible to do account linking with Actions for APIs you do not own.

Answer 2

I too am at a loss as to why you cannot do account linking for Actions on Google with Login with Google.

However, I've made this work using Login With Amazon, here's how:

1. In api.ai, choose integrations -> actions on google.
2. Choose an invocation name create a project in google developers console
3. Enter the corresponding google project ID
4. Pick your welcome intent
5. Go to the amazon developers console under login with amazon
6. Under allowed origins, put https://accounts.google.com/
7. Under Allowed Return URLs, put https://oauth-redirect.googleusercontent.com/r/my-project-id (with your google project ID per above)
8. Back in the Actions on Google popup, enter the client ID and Client Secret created in the Amazon developer's console.
9. Set grant type = implicit

10. Set authorization URL = https://www.amazon.com/ap/oa

11. set Scopes = profile

12. Authorize and preview, and continue as described in the question with pasting in the link from res.debugInfo.sharedDebugInfo[0].debugInfo to a browser session. It will successfully link to the associated amazon account.

The question is - why can I use Amazon as an identity provider with OAuth2 using web identity federation but not Google when setting up account linking with Actions on Google?