Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Alexa account linking - How to id_token instead of access id_token

Tags:

openid-connect

oauth-2.0

alexa-skills-kit

alexa

I was successfully able to link my Alexa app (client) to our companies OpenID Connect platform (authorization server).

Our authorization server returns the following information to Alexa client :

{
 "access_token":"eyAi",
 "refresh_token":"kfQ",
 "scope":"openid profile", 
 "id_token":"eyA",
 "token_type":"Bearer",
 "expires_in":3598
}

Alexa client successfully receives this information and when invoking skills passes on the "access_token" to our code.

So in summary, the two systems are linked and alexa is sending us the access_token. So far so good.

HOWEVER, the issue is that our platform requires "id_token" and not "access_token". So i want Alexa to send us id_token.

I fail to find any documentation on how to achieve this. Please help.

Here is a link to account linking under alexa

like image 764
Bubble Trouble Avatar asked Oct 29 '22 23:10

Bubble Trouble

1 Answers

True as of Jan 2020 as well. It is contrary to popular convention wherein accessToken is passed in requests for authorization (OAuth) and Id token is used for Identity Authentication(OpenId).

On logging in through a Cognito Userpool, we are assigned ID Token, Access Token, and a refresh Token. The ID token is used to communicate with STS and Cognito Federated Identities. The API Gateway authorizer checks only for an ID token will deem the request as UnAuthorized if an accessToken is sent instead of an ID token. AWS explains the data flow between Cognito and Federated Identities in this video: https://youtu.be/VZqG7HjT2AQ?t=528

On linking Alexa with Cognito, when the user logs in the Alexa Skill. Alexa records the accessToken from all the other tokens and sends it to Cognito in the subsequent requests.

With no ID token in these requests they fail with a HTTP 401. This is a discord between Amazon's services and hope they develop a workaround it.

One way around it is to use a custom authorizer lambda and write your own logic.

A better way is using a resource server to add some custom OAuth scopes to your userpool. Then add OAuth Scopes to your API Gateway resources page.

The API Gateway will check the accessToken and allow the requests with the OAuth Scopes defined in the API Gateway resource.

like image 174
Supreet Deshpande Avatar answered Nov 11 '22 10:11

Supreet Deshpande
Sign in to Comment

Related questions

Custom oAuth client in ASP.NET MVC 5
Security of OAuth Authorization Code with Semi-Private Secret
Spring Security OAuth 2: How to get access token and additional data after oauth/token request
Best practice in storing and using a OAuth2 Token in Android?
Can't validate access token via OAuth2/OpenID Connect with prompt=none parameter on WSO2 Identity Server
Restrict Github API access to only one repository of an user
How to refresh authentication.idToken with GIDSignIn or GIDAuthentication?
Google Classroom API - Student's "emailAddress" and "photoUrl" are not coming in the response
Oauth2 gmail SMTP Authentication Error with phpmailer
how to hide authorization bearer in a rest call?
gapi login state not retained in users browser after page refresh
How to generate unique token for Client Id & Client Secret for OAuth 2 in PHP?
No redirect to callback URL when authenticating to Instagram
OAuth2 Password grant with node js
OAuth2 one-time grant for signup and lost password
Custom Spring Security OAuth2 with Spring Social integration
Getting error: django.core.exceptions.AppRegistryNotReady: Apps aren't loaded yet while installing oauth2 provider in django rest framework
Using the authorization code grant without using cookies?
Unable to authenticate OAuth2 with Akka-Http
Android: GoogleAuthUtil.getToken - where is the account object supposed to come from?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!