Choose your account linking type
Stay organized with collections
Save and categorize content based on your preferences.
The optimal account linking type for your Action is one that provides the
simplest experience for your users and fits the needs of your application or
business. Choosing your linking type is mostly dependent on the following
factors:
- Whether you want to allow account creation via voice
- Whether you want users to be able to sign in to your service with a
non-Google account
- Whether or not your service can store confidential information
(i.e., a client secret)
To figure out your ideal account linking type, follow these steps:
- Consider the questions in the
Identify your preferred sign-in type
section.
- Consult the decision tree to choose your linking type.
- Navigate to the section that corresponds to the initial type you chose to
further refine how it works.
Identify your preferred sign-in type
Before you consult the decision tree, consider the following questions:
- Do you expect all your users to have a Google account?
- If your Action only targets Assistant, then you can expect all your
users to have a Google account. If your Action targets platforms beyond
Assistant, you cannot expect all your users to have a Google account.
- If your service already has existing users, it’s likely that some don’t
have a Google account or didn’t sign into your service with a Google
account.
- If you have an OAuth implementation, can it be extended to support Google
protocol?
- To support Google protocol, you need to be able to add the
intent=get
and intent=create functionality to your token exchange endpoint. This
functionality allows Google to check if the user already exists in your
backend and make a request to create a new account on your service,
respectively.
Follow the decision tree below to identify the account linking type that’s
optimal for you and your users:
Once you select a linking type, continue to the corresponding section
below to learn more about how it works and make further decisions about how
account linking works in your Action.
OAuth-based Google Sign-in "Streamlined" linking
The Streamlined linking type adds Google Sign-in (GSI) on top of OAuth-based
account linking, which provides the benefits of GSI (for example, voice-based
linking for Google users) while also enabling account linking for users who
registered to your service with a non-Google account. This linking type is
especially advantageous for end users because it provides a low-friction flow
for Google users with a fallback for non-Google users. For more information
about how Streamlined linking works, see the
OAuth-based Google Sign-in "Streamlined" linking concept guide.
Refine OAuth-based Google Sign-in "Streamlined" linking type
When you use the Streamlined linking type in your Action, you specify
the answers to the following questions in the Actions console to define how
it works:
Do you want to enable voice account creation or only allow account
creation on your website?
Generally, you should enable account creation via voice so that
users on a non-screened device can create an account without having to
transfer to another device. If you do not allow account creation via voice,
Assistant opens the URL to the web site that you provided for user
authentication and directs the user to a phone to continue the account
linking flow.
However, you should not allow account creation via voice if any of the
following applies:
- You need full control of the account creation flow. For
example, you may need to show your terms of service to the user during
account creation or some other type of notice.
- You want to ensure that users who already have an account with you
sign in with that account. For example, you may want users to continue
using their existing accounts if you offer a loyalty program and don’t
want the user to lose the points accrued on their account.
Do you want to use the authorization code flow or implicit flow?
The authorization code flow and implicit flow differ in that the
authorization code flow requires a second endpoint, the token exchange
endpoint. This endpoint uses refresh tokens to generate new, short-lived
access tokens without prompting the user to sign in again.
Conversely, if you use the implicit flow, you return a long-lived access
token to Google that usually does not need to be re-generated. For more
information about the authorization code and implicit flows, see the
OAuth-based Google Sign-In "Streamlined" linking concept guide.
Google recommends using the authorization code flow in your Action
because it is more secure. However, use the implicit flow instead if
your service can’t store confidential information (i.e., a client secret).
For example, you must use the implicit flow for public clients like
single-page applications (SPAs).
After considering these decision points, consult the following decision tree:
Google Sign-in
With the Google Sign-in (GSI) linking type, your Action can request access to your user’s Google
profile during a conversation and use the profile information to check if the
user exists in your service’s backend. If the user doesn’t exist, they can
create a new account in your system using their Google profile information.
For GSI, you must enable account creation via voice, which lets the user
complete the entire flow over voice. For more information about GSI, see the
Google Sign-In concept guide.
OAuth linking
With the OAuth linking type, the user signs in with the standard OAuth 2.0 flow.
The OAuth linking type supports two industry-standard OAuth 2.0 flows:
the implicit and authorization code flows.
Google does not recommend the OAuth linking type by itself because it requires transferring
the user from voice to screen to complete the sign-in process if the user is on
a non-screened device. You can consider using this flow if you have an existing
implementation of an OAuth 2.0 server, and you cannot extend the token exchange
endpoint to add support for Google’s protocols for automatic linking and
account creation from an ID token. For more information, see the
OAuth linking concept guide.
Refine the flow
When you use the OAuth linking type in your Action, you must
specify the answer to the following question in the Actions console to define
how it works:
Do you want to use the authorization code flow or implicit flow?
The OAuth linking type supports two industry-standard OAuth 2.0 flows:
the implicit and authorization code flows. The authorization code flow
and implicit flow differ in that the authorization code flow requires a
second endpoint, the token exchange endpoint. This endpoint uses
refresh tokens to generate new, short-lived access tokens without prompting
the user to sign in again.
Conversely, if you use the implicit flow, you return a long-lived access
token to Google that usually does not need to be re-generated. For more
information about the authorization code and implicit flows, see the
OAuth linking concept guide.
Google recommends using the authorization code flow in your Action
because it is more secure. However, use the implicit flow instead if
your service can’t store confidential information (i.e., a client secret).
For example, you must use the implicit flow for public clients like
single-page applications (SPAs).
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-18 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-09-18 UTC."],[[["\u003cp\u003eThe optimal account linking type for your Google Action depends on user experience, whether you allow voice account creation, accept non-Google accounts, and if your service can handle confidential information.\u003c/p\u003e\n"],["\u003cp\u003eA decision tree helps you determine the best account linking type: OAuth-based Google Sign-in "Streamlined", Google Sign-in, or standard OAuth linking.\u003c/p\u003e\n"],["\u003cp\u003eStreamlined linking combines Google Sign-in benefits with support for non-Google accounts, offering flexibility and a smooth user experience.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Sign-in allows voice account creation and leverages users' Google profiles but may not be ideal if you require extensive control over the account creation process.\u003c/p\u003e\n"],["\u003cp\u003eStandard OAuth linking, while functional, might necessitate switching between voice and screen, potentially hindering user experience.\u003c/p\u003e\n"]]],["Account linking type selection depends on voice account creation, non-Google sign-in, and secure storage capabilities. To choose, consider if users have Google accounts and if existing OAuth can support Google protocol. Streamlined linking combines Google Sign-In (GSI) with OAuth, offering voice account creation unless full control or existing account sign-in is required. Authorization code flow is preferred for security unless a service can't store confidential information, in which case the implicit flow is necessary. GSI requires voice account creation. OAuth linking by itself isn't recommended.\n"],null,["# Choose your account linking type\n\nThe optimal account linking type for your Action is one that provides the\nsimplest experience for your users and fits the needs of your application or\nbusiness. Choosing your linking type is mostly dependent on the following\nfactors:\n\n- Whether you want to allow account creation via voice\n- Whether you want users to be able to sign in to your service with a non-Google account\n- Whether or not your service can store confidential information (i.e., a client secret)\n\nTo figure out your ideal account linking type, follow these steps:\n\n1. Consider the questions in the [Identify your preferred sign-in type](#identify_your_preferred_sign-in_type) section.\n2. Consult the decision tree to choose your linking type.\n3. Navigate to the section that corresponds to the initial type you chose to further refine how it works.\n\nIdentify your preferred sign-in type\n------------------------------------\n\nBefore you consult the decision tree, consider the following questions:\n\n- **Do you expect all your users to have a Google account?**\n - If your Action only targets Assistant, then you can expect all your users to have a Google account. If your Action targets platforms beyond Assistant, you cannot expect all your users to have a Google account.\n - If your service already has existing users, it's likely that some don't have a Google account or didn't sign into your service with a Google account.\n- **If you have an OAuth implementation, can it be extended to support Google\n protocol?**\n - To support Google protocol, you need to be able to add the `intent=get` and `intent=create` functionality to your token exchange endpoint. This functionality allows Google to check if the user already exists in your backend and make a request to create a new account on your service, respectively.\n\nFollow the decision tree below to identify the account linking type that's\noptimal for you and your users:\n\nOnce you select a linking type, continue to the corresponding section\nbelow to learn more about how it works and make further decisions about how\naccount linking works in your Action.\n\n### OAuth-based Google Sign-in \"Streamlined\" linking\n\nThe Streamlined linking type adds Google Sign-in (GSI) on top of OAuth-based\naccount linking, which provides the benefits of GSI (for example, voice-based\nlinking for Google users) while also enabling account linking for users who\nregistered to your service with a non-Google account. This linking type is\nespecially advantageous for end users because it provides a low-friction flow\nfor Google users with a fallback for non-Google users. For more information\nabout how Streamlined linking works, see the\n[OAuth-based Google Sign-in \"Streamlined\" linking concept guide](/assistant/identity/gsi-oauth-concept-guide).\n\n#### Refine OAuth-based Google Sign-in \"Streamlined\" linking type\n\nWhen you use the Streamlined linking type in your Action, you specify\nthe answers to the following questions in the Actions console to define how\nit works:\n\n1. **Do you want to enable voice account creation or only allow account\n creation on your website?**\n\n Generally, you should enable account creation via voice so that\n users on a non-screened device can create an account without having to\n transfer to another device. If you do not allow account creation via voice,\n Assistant opens the URL to the web site that you provided for user\n authentication and directs the user to a phone to continue the account\n linking flow.\n\n However, you should not allow account creation via voice if any of the\n following applies:\n 1. *You need full control of the account creation flow.* For example, you may need to show your terms of service to the user during account creation or some other type of notice.\n 2. *You want to ensure that users who already have an account with you\n sign in with that account.* For example, you may want users to continue using their existing accounts if you offer a loyalty program and don't want the user to lose the points accrued on their account.\n2. **Do you want to use the authorization code flow or implicit flow?**\n\n The authorization code flow and implicit flow differ in that the\n authorization code flow requires a second endpoint, the *token exchange*\n endpoint. This endpoint uses *refresh tokens* to generate new, short-lived\n access tokens without prompting the user to sign in again.\n\n Conversely, if you use the implicit flow, you return a long-lived access\n token to Google that usually does not need to be re-generated. For more\n information about the authorization code and implicit flows, see the\n [OAuth-based Google Sign-In \"Streamlined\" linking concept guide](/assistant/identity/gsi-oauth-concept-guide).\n\n Google recommends using the **authorization code flow** in your Action\n because it is more secure. However, use the **implicit flow** instead if\n your service can't store confidential information (i.e., a client secret).\n For example, you must use the implicit flow for public clients like\n single-page applications (SPAs).\n\nAfter considering these decision points, consult the following decision tree:\n\n### Google Sign-in\n\nWith the Google Sign-in (GSI) linking type, your Action can request access to your user's Google\nprofile during a conversation and use the profile information to check if the\nuser exists in your service's backend. If the user doesn't exist, they can\ncreate a new account in your system using their Google profile information.\n\nFor GSI, you must enable account creation via voice, which lets the user\ncomplete the entire flow over voice. For more information about GSI, see the\n[Google Sign-In concept guide](/assistant/identity/gsi-concept-guide).\n\n### OAuth linking\n\nWith the OAuth linking type, the user signs in with the standard OAuth 2.0 flow.\nThe OAuth linking type supports two industry-standard OAuth 2.0 flows:\nthe *implicit* and *authorization* code flows.\n\nGoogle does not recommend the OAuth linking type by itself because it requires transferring\nthe user from voice to screen to complete the sign-in process if the user is on\na non-screened device. You can consider using this flow if you have an existing\nimplementation of an OAuth 2.0 server, and you cannot extend the token exchange\nendpoint to add support for Google's protocols for automatic linking and\naccount creation from an ID token. For more information, see the\n[OAuth linking concept guide](/assistant/identity/oauth-concept-guide).\n\n#### Refine the flow\n\nWhen you use the OAuth linking type in your Action, you must\nspecify the answer to the following question in the Actions console to define\nhow it works:\n\n1. **Do you want to use the authorization code flow or implicit flow?**\n\n The OAuth linking type supports two industry-standard OAuth 2.0 flows:\n the *implicit* and *authorization* code flows. The authorization code flow\n and implicit flow differ in that the authorization code flow requires a\n second endpoint, the *token exchange* endpoint. This endpoint uses\n *refresh tokens* to generate new, short-lived access tokens without prompting\n the user to sign in again.\n\n Conversely, if you use the implicit flow, you return a long-lived access\n token to Google that usually does not need to be re-generated. For more\n information about the authorization code and implicit flows, see the\n [OAuth linking concept guide](/assistant/identity/oauth-concept-guide).\n\n Google recommends using the **authorization code flow** in your Action\n because it is more secure. However, use the **implicit flow** instead if\n your service can't store confidential information (i.e., a client secret).\n For example, you must use the implicit flow for public clients like\n single-page applications (SPAs)."]]
