Google Oauth - URL OWNERSHIP?


#1

Hi All,

I’m trying to get an app certified on Google Assistant. The app uses Account linking with Oauth. The Oauth service provider Microsoft and authentication occurs using MSAL against their AAD of corporate users.

Google have said that “When implementing account linking using OAuth, you must own your OAuth endpoint or have control over it with an OAuth service provider.”

I have tried pushing back explaining that we have full control over it and Microsoft is our service provider but they will not accept it say the developer is not the owner

Has anyone else encountered this? How did you get around it - does my client now have to become the “developer” and set up a google developer account and submit the action?

Any insights are welcome!


#2

That sounds like a question to direct to Google rather than to Jovo…


#3

I have asked Google. You can’t speak to reviewers but you can get help from the AOG team. I have now had several emails and it seems they wont accept the url because it is from a private tenancy, I.e not accessible to the public.

I have explained to them my use case in which I want to allow part of the action to be accessible to all google users, but part of the action to only be available to authorised corporate users as it contains commercially sensitive data. I asked them is this was permissible and within the policy requirements for certification. They responded that generally this was permissible.

So now I’m trying to work out how to implement the authorisation a different way. That’s why I was asking if anyone has experience in this.


#4

If you want to authenticate using the corporate OAUTH, all I can suggest is to get the company to either take ownership of the Google code (or at least to provide their own Google-based OAUTH proxy).

Or give up and have your own OAUTH, with a registration process outside Google which calls the MS OAUTH to confirm that this user can be issued an account in yours. (I have no idea whether you could reasonably securely throw together your own proxy for the company OAUTH; I haven’t looked into that protocol deeply enough.)


#5

Thanks I used a bit of hack to get around it - went with the Google voice flow and whitelisted some domain names