search

home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
73.6k stars 30.76k forks source link

Nest integration uses wrong client_id for Google Nest permissions web page #124345

Open afalout opened 2 months ago

afalout commented 2 months ago

The problem

First, I tried using my Google Workspace account to try to set up Nest integration - including the payment. Spent several days trying to set this up, until I found out that Google does not allow Nest on Workspace accounts. I re-checked the HA Nest integration page for mention of "workspace", but that did not exist. It would be helpful if it did.

Second, I used my "normal" gmail.com account. I completed everything on the Google side, but when HA opened the link to https://nestservices.google.com/partnerconnections/etc... , I was presented the dreaded "Can’t link to [Project Name]: Please contact [Project Name] if the issue persists"

Spent next several hours looking for errors described in "Troubleshooting" section, not finding anything wrong. In desperation, I looked at the URL constructed by HA. It contained the client_id= from my failed attempt to use Workspace account, instead of the gmail.com one.

I then manually replaced the client_id with correct one. The expected authorization page opened. I completed steps as per documentation, and in the end when the callback was made to my HA instance (https://xxxxx.com:1234/auth/external/callback?etc...) I was presented with :

500 Internal Server Error Server got itself in trouble

Which I suspected has the same root cause of my HA instance holding the WRONG OAuth client_id.

Which I still see in config/.storage/application_credentials - so I deleted the credentials using the HA interface.

Re-did everything again, callback worked, cameras work. More or less.

In summary, 2 primarily documentation issues here: 1) Google Workspace accounts are not supported for Nest 2) Google/Nest credentials are retained by HA from whatever was entered the first time. If they change, there is no way to change them from UI, and the integration will not ask for them to be re-entered or at least confirmed. They must be deleted by the user.

Hopefully this helps someone, and perhaps this can be added to the documentation.

Many thanks, Andrej

What version of Home Assistant Core has the issue?

core-2024.8.1

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

Nest

Link to integration documentation on our website

https://www.home-assistant.io/integrations/nest/

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

home-assistant[bot] commented 2 months ago

Hey there @allenporter, mind taking a look at this issue as it has been labeled with an integration (nest) you are listed as a code owner for? Thanks!

Code owner commands Code owners of `nest` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign nest` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

(message by CodeOwnersMention)

nest documentation nest source (message by IssueLinks)

allenporter commented 2 months ago

The documentation has this warning in the section on device access console: "It is currently not possible to share/be invited to a home with a G-Suite account. Make sure that you pay the fee with an account that has access to your devices."

The documentation also has a section on "Can’t link to" and describes how to update credentials that our our of sync.

afalout commented 2 months ago

Hi Allen, thank you for your response.

Can you please explain what "not possible to share/be invited to a home with a G-Suite account" has to do with any of issues reported? If this has something to do with Google Workspace accounts not allowing Nest integrations, then perhaps this statement needs a complete rewrite. (PS. "Googling" for "G-Suite" I now see that this is the old name for Google Workspace, but I still have no idea what "share/be invited to a home" would have to do with HA Nest integration...)

Regarding section on "Can’t link to": I followed instructions under that heading to the letter. Now, after performing all the steps I described - and certainly not before, I can guess that "Home Assistant needs to be configured with the same credentials. Delete any existing entries if they do not match, then either manually enter or re-enter as part of the setup." refers to my situation. However, how exactly would I be able to check what credentials are in use, was not mentioned. Or under what circumstanced would that occur. Additionally, I am not sure it is even possible to "then either manually enter or re-enter as part of the setup." I was certainly not prompted to re-enter them on the second attempt to set up the integration, and I did not notice any option in the process to "manually enter" them.

In summary: If the two references you provided indeed where intended to address issues I encountered, then please note that the way they are currently worded was far from obvious. I would suggest the re-write.

Also it might help to add the "Prerequisites" section and mention the need for a "standard" Gmail account at the top of the document.

Thanks Andrej

allenporter commented 2 months ago

Hi, (1) I don't have a workspace/g-suite account, but someone contributed that documentation to warn other g-suite/workspace users about part of the process that doesn't work. I'd happily approve additional documentation updates based on your understanding of the limitations of the system. My assumption is either the wording is just not helpful and should be improved or the rules have changed, i'm not sure.

(2) OK so the troubleshooting says "Can’t link to [Project Name]: Please contact [Project Name] if the issue persists: This typically means that the OAuth Client ID used is mismatched" then below that it says "Resolving mismatched OAuth Client ID" which you are quoting. Inside this section there are two things: (a) Instructions and a screenshot with a red arrow pointing to the place in the UI for a visual clue if that is helpful (b) a hyperlink on the words "Application credentials" that take you to a web page that has more detailed instructions under the heading "To view stored application credentials" with the detailed steps spelled out in case the screenshot or red arrow either is not visible or isn't making sense

The current documentation reflects the communities best attempt to document common problems that users have encountered. I am very supportive of you making improvements to the documentation and would gladly approve them. At the bottom of the page there is a link Help us improve our documentation where you can click an Edit button and make the changes you would like to see. Thank you for your contributions!