Authenticate Google Calendar on API.AI with Google Actions

Question

I am writing an API.AI app with Google Actions (will run on google assistant and google home). The app should be able to read\\add events to the user\'s google calendar acco

Answer 1

If you're using Google Sign-in as your login provider, you can request access to the calendar scope as part of your OAuth flow.

The public policy states:

"Don't request any OAuth scope from Google unless the user is signing in to your service using Google Sign-In."

Answer 2

Update, 8 Nov 2017

As of about 4 October 2017, Google updated their policy to explicitly forbid this. Around the same time, they also took technical measures to prevent this.

The portion about enabling the Calendar API is still correct, although insufficient to do what the original question asked.

Original Answer

Broadly speaking, the auth tasks you need to do are in four parts:

1. Configure your project (in the cloud console) so that the Calendar API is enabled and that the OAuth2 client is correctly configured.
2. Configure the Action for account linking in the action console.
3. Configure the Actions on Google Integration for your API.AI Agent to indicate that sign-in is required.
4. When API.AI calls your webhook to fulfill an Intent, it will include an auth token as part of the JSON. You can use this token to make calls to the Google APIs you need.

Configure Cloud Project

You need to configure your cloud project so that it has access to the Google APIs you need and setup the OAuth2 Client ID, Secret, and Redirect URI.

1. Go to https://console.cloud.google.com/apis/dashboard and make sure you have the project you're working with selected. Then make sure you have the APIs you need enabled. (In this case, the Calendar API)

2. Select the "Credentials" menu on the left. You should see something like this:

3. Select "Create credentials" and then "OAuth client ID"

4. Select that this is for a "Web application" (it is... kinda...)

5. Enter a name. In the screen shot below, I used "Action client" so I remember that this is actually for Actions on Google.

6. In the "Authorized Redirect URIs" section, you need to include a URI of the form https://oauth-redirect.googleusercontent.com/r/your-project-id replacing the "your-project-id" part with... your project ID in the Cloud Console. At this point, the screen should look something like this:

7. Click the "Create" button and you'll get a screen with your Client ID and Secret. You can get a copy of these now, but you can also get them later.

8. Click on "Ok" and you'll be taken back to the "Credentials" screen with the new Client ID added. You can click the pencil icon if you ever need to get the ID and Secret again (or reset the secret if it has been compromised).

Configure the Action Console

Once we have OAuth setup for the project, we need to tell Actions that this is what we'll be using to authenticate and authorize the user.

1. Go to https://console.actions.google.com/ and select the project you'll be working with.

2. In the Overview, make your way through any configuration necessary until you can get to Step 4, "Account Linking". This may require you to set names and icons - you can go back later if needed to correct these.

3. Select the Grant Type of "Authorization Code" and click Next.

4. In the Client Information section, enter the Client ID and Client Secret from when you created the credentials in the Cloud Console. (If you forget, go to the Cloud Console API Credentials section and click on the pencil.)

5. For the Authorization URL, enter https://accounts.google.com/o/oauth2/v2/auth

6. For the Token URL, enter https://www.googleapis.com/oauth2/v4/token

7. Click Next

8. You now configure your client for the scopes that you're requesting. Unlike most other places you enter scopes - you need to have one per line. (In this case, you'd also add the correct scope you need to access the user's calendar.) Then click Next.

9. You need to enter testing instructions. Before you submit your Action, these instructions should contain a test account and password that the review team can use to evaluate it. But you can just put something there while you're testing and then hit the Save button.

Configure API.AI

Over in API.AI, you need to indicate that the user needs to sign-in to use the Action.

1. Go to https://console.api.ai/ and select the project you're working with.

2. Select "Integrations" and then "Actions on Google". Turn it on if you haven't already.

3. Click the "Sign in required for welcome intent" checkbox.

Handle things in your webhook

After all that setup, handling things in your webhook is fairly straightforward! You can get an OAuth Access Token in one of two ways:

• If you're using the JavaScript library, calling app.getUser().authToken

• If you're looking at the JSON body, it is in originalRequest.data.user.accessToken

You'll use this Access Token to make calls against Google's API endpoints using methods defined elsewhere.

You don't need a Refresh Token - the Assistant should hand you a valid Access Token unless the user has revoked access.