With the current method of setting up Google Assistant, you pass your API password as a URL parameter:
https://[YOUR HOME ASSISTANT URL:PORT]/api/google_assistant?api_password=[YOUR API PASSWORD]
Is it possible to use one of the new access tokens instead? If that is possible, I can completely disable my API password, which would greatly increase security. Something like:
https://[YOUR HOME ASSISTANT URL:PORT]/api/google_assistant?token=[YOUR TOKEN]
One possibly dumb question: Where do I get the token from? Is it the same as the API Password, or do I have to configure it, or do I have to generate it?
I tried doing this with my ifttt stuff, but it doesn’t work for me, it triggers the false login persistent notification if I try it. Is there a specific way to do it with ifttt? I thought it would be the same due to the same url setup
Its a bit wierd: The segment to generate long lived tokens appeared in my profile after disabling the HTTP api password ab adding the homeassistant auth provider to the config.
I don’t know which change caused the appearance, but it definitely wasn’t there from the beginning.
This kinda defeats the purpose of the whole reason to move away from an API password. The whole point is to not send a clear text password in the URL. What you should be doing is sending the token via HTTP header as linked in the profile page. I believe this integration needs to be updated for it to work properly.
I think the api password is needed for the initial setup. I believe Google Assistant reaches out to your HASS instance, does some kind of handshake, then does Oauth2 stuff to join the two. I don’t really know how it works, I just watched the Home app as it tried to setup the connection to HASS after I changed to new domain name. Perhaps some more testing can be done on initial vs ongoing need for api password (or tokens for that matter)