I’m working on an IoT thermostat project that needs integration with Alexa and Google Assistant.

The IoT architecture is quite standard:

IoT architecture

The IoT backend server offers a number of APIs to manage thermostats. It requires user authentication; once logged in a long-lived access token is issued and used in all subsequent API calls. It is a commercial server provided by a third-party.

Google Assistant / Smart Home

The technology behind “Ok google” is Google Assistant, a voice driven AI that interact with smart home devices. The same devices control can be achieved in the Google Home app.

The first step to connect the thermostat to Google Assistant is to create a smart home Action. [glossary]

A tipical Google voice Action requires these steps:

  • Define the grammars and keywords the users can pronounce, in every language you want to support
  • Handle all different paths of voice conversations
  • Trigger the right intent
  • Fullfill the intent (API calls, etc…)

Being in the smart home framework give us a big advantage: the conversation is already managed. You don’t need to define grammars, keywords, languages etc… The smart home framework will call directly our intents.

Account linking OAuth

When you say “Ok Google” you’re always logged in a Google account under the hood. It can be Google mini, our smartphone, or an Android TV; whatever device you’re using, it is always connected with some Google account. You can even setup Voice Match to automatically map your voice with your very personal Google account.

To use the thermostat you also need to be logged in the IoT backend server. So we need to link our personal Google accounts to our IoT account.

There is a (heavy) prerequisite: OAuth 2.

Minimal OAuth tutorial

We must provide Google an OAuth service. The quickest way is to use the so called implicit code flow, that is basically a single HTTPS endpoint:

GET https://myservice.example.com/auth

This endpoint accepts the following parameters:

  • client_id
  • redirect_uri
  • state
  • response_type=token

Then display a login/password GUI to let user authenticate in the IoT backend. If the user successfully login, the long-lived access token generated by the IoT backend is passed back to Google, redirecting the user’s browser to the redirect_uri.

OAuth authorization flow

To provide more security, and to be also Alexa-compatible, you can choose the authorization code flow.

This flow uses two endpoints:

  • Login page endpoint
  • Token exchange endpoint

If your IoT backend authentication system is already OAuth-compliant you can continue and configure the Google Action with your OAuth URLs.

If your authentication system is not OAuth-compliant you can develop your own OAuth server. Look at my other post about creating an OAuth server in Amazon AWS.

End of part 1Part 2