actions on google - Making API requests to a 3rd party that requires authentication

Question

Here is my scenario. Imagine there is a Yoga studio that uses a professional booking and reservation system that exposes an API. Through this API an application can make a reservation for a client. The API takes the client's userid and password to make the reservation. The booking API doesn't use OAuth or any social media sign-ins.

My desire is to create an Assistant Action that would retrieve the list of classes and allow the client to make a booking.

My puzzle is what design/architecture to look towards to supply the userid/password pair required by the booking API.

How have others solved this puzzle?

Should I store the userid/password as "user state" associated with the action?

Answer 1

First, you should have a conversation with the API provider about why they don't provide an OAuth-based solution. This is a security vulnerability waiting to happen, if it hasn't already.

Second, you need to think very carefully about your own risk profile in this case:

• Google does not allow you to collect credential information (ie - passwords) through your Action.

• Because of this, you must use Account Linking to authenticate them.

• This means that you will need something (ie - a database or data store) to manage their account on your side.

  • This database would be a good place to keep the username/password you need to use for them for the API...
  • ...but it now means that you need to take extreme care about protecting this database.

You don't really say how this API allows for accounts to be created and managed. If these accounts are just used for you (ie - the user doesn't necessarily see them), then you can mitigate some of that risk by treating the username/password as an opaque token that you manage and generate and that the user never sees.

If this is something that the user is aware of, then you'll need to approach the account linking in one of two ways:

1. Have them log into your service via an app or webapp using this credential info that you will need to save (ack!) and then link to the Assistant using OAuth.
2. Have them log into your service via an app or webapp using Google Sign-In, which will carry over to your Action. Then have them provide the credential info for the API, which you will need to save (ack!).