Search code examples
amazon-web-servicesazuretokenazure-active-directoryalexa-skills-kit

How to get the accesstoken from alexa after account linking with azure AD

I tried to connect my Alexa AWS Lambda function (node.js 6.10) with Azure Activ Directory to my Azure-Cloud-API. After reading the documentation from amazon and many tutorials I have now a working Account Linking. That means, I can link the Account of the Skill inside the Alexa-App on my smartphone.

AccountLinking for my Custom Skill: {Data from my azure portal}

  • Authorization Grant Type: Auth Code Grant
  • Authorization URI: {OAUTH 2.0 AUTHORIZATION ENDPOINT}
  • Access Token URI: {OAUTH 2.0 TOKEN ENDPOINT}
  • Client ID: b9c6[...]bc60 {Application ID}
  • Client Secret: {Client Secret}
  • Client Authentication Scheme: Credentials in request body
  • scope: openid
  • domain: empty
  • redirect urls: --> In Azure portal as ALLOWED TOKEN AUDIENCES and Reply URLs defined

In my aws lambda function I get the event request from alexa like the documentation says with properties for version, session, context, request...

My understanding of the documentation is, that the token I need for the Azure-Cloud-API-Request should be here: session.user.accessToken But this token doesn't look like the one I need and after my test runs I get always "Unauthorized" back. The Token looks something like this and is 1252 characters long:

AQABAAAAAADX8GCi6Js6SK82TsD2Pb7rqGN56iHT_YSxlSr1RAdXucGs0S3ykOaw0XZ1WnjJotqZAn9BH7agRbP0VQv2rnJuRw_aJil7 [...] JIEO2Ap4wuG-tTwiSmZBfbLhyYtwQmxLAkqiLApqFmBYcyu-dnzlVV4liDGyTQ7gAXufd3zt7QGmi3UfP1aL9f5NBeXbmxnU6FHRzF10QZa19pTQgNTtIK8oIAA

If I configure postman and send a request to the azure activ directory I get a accessToken like this (1168 characters long):

eyJ0eXAiOiJKV1QiLCJhbGc [...] Ezbk5aY2VEYyJ9.eyJhdWQiOiJodHRwczovL21ldGVvcmEtYXBwLmF [...] kY5MWVUUXdBQSIsInZlciI6IjEuMCJ9.KJco47-FdJ_eeqv38LL [...] YK_4JqCRDw

This one looks like a jwt-token and if I copy this token directly in my aws lambda function and use this one for the Azure-Cloud-API-Request it works (until the token expires).

Now I'm not sure if there is a problem in my configuration of the account linking? Or do I have to do something with the token from alexa to get the real one? Or is the real token somewhere else and I have to fetch it there?

Thanks a lot for your help!

Amazon Documentation "Alexa Skills Kit":

https://developer.amazon.com/docs/custom-skills/link-an-alexa-user-with-a-user-in-your-system.html

EDIT (Solution) 11.06.2018

  • Authorization Grant Type: Auth Code Grant
  • Authorization URI: {OAUTH 2.0 AUTHORIZATION ENDPOINT} + ?resource= + {Application ID}
  • Access Token URI: {OAUTH 2.0 TOKEN ENDPOINT}
  • Client ID: b9c6[...]bc60 {Application ID}
  • Client Secret: {Client Secret} App>Settings>Keys new Key with expiration date = 2 years
  • Client Authentication Scheme: Credentials in request body
  • scope: empty
  • domain: empty
  • redirect urls: --> In Azure portal as ALLOWED TOKEN AUDIENCES and Reply URLs defined
Solution

  • It sounds like you haven't completed the account linking sequence for your skill. After setting the account linking configuration you need to open the Alexa app (on your phone or https://alexa.amazon.com) and go to your new skill and link your account. Once that is successful you will get a token in request.Session.User.AccessToken.

    The blog post: https://blogs.msdn.microsoft.com/premier_developer/2017/12/09/amazon-alexa-skills-authenticated-by-azure-active-directory-and-backed-by-asp-net-core-2-0-web-api-hosted-on-azure/ needs to be updated with the following:

    • You can ignore the sections about the "front end" app registration.
    • In Alexa account linking section update URLs to use login.microsoftonline.com instead of login.windows.net
    • ClientId to be the Application Id of the "back end" app registration
    • The ?resource= has to be set and has to be the same as the audience parameter for the JWT bearer options. This is ClientId if you use the .Net Core 2.0 template in Visual Studio.
    • The client secret (key) that is used can not be one that "Never Expires". Use a 1 or 2 year duration.