Amazon Alexa Skills Kit: How do you link with external app account / userId

Question

In an Amazon alexa skill request there is a userId and I'm trying to understand what this is and if there is some reference for it because I want to link and Amazon Echo user account with an account in my own app and to do this I would have to have some kind of static userId to work with.

Example request:

{
 "version": "1.0",
 "session": {
   "new": false,
   "application": {
   "applicationId": "amzn1.echo-sdk-ams.app.[unique-value-here]"
  },
  "sessionId": "session1234",
  "attributes": {},
  "user": {
    "userId": null //IS THERE A DETAILED REFERENCE OF THIS SOMEWHERE?
  }
},
"request": {
"type": "IntentRequest",
"requestId": "request5678",
"intent": {
  "name": "MyColorIsIntent",
  "slots": {
    "Color": {
      "name": "Color",
      "value": "blue"
    }
  }
}
}
}

Answer 1

Great question.

Short answer: You're going to have to build your own pairing between your 3rd party user and the Alexa UserID. There's no built-in support into the Alexa Skills SDK that lets you associate an Alexa UserID with your user ID. You're going to have to create a specific voice intent that associates Alexa UserIDs to your Users DB.

Longer answer: Let's start by talking about that Alexa UserID you get in each request. The Alexa UserID you get is an LWA (Login-With-Amozon) user ID. It's primary purpose to allow Alexa Skills to reliably detect repeating users.

So what doesn't work? The issue you're going to run into is that the LWA userId is always anonymized to each Alexa app. That's important because it makes sure users aren't tracked; but it also prevents you from associating the Alexa userID with your own LWA userID.

From the "Login with Amazon - Developer Guide" (page 10)

Every company that creates websites or apps for Login with Amazon gets the same user_id for a customer. However, when a customer logs in to another company's app or site, the user_id will be different. This is so user_id cannot be used to track customers across the Web.

What I'm trying to say is that you can't just implement LWA in iOS, Android or Web apps and expect to get the same LWA userId for an account as you would get as an Alexa userID. For example, if you implemented LWA on your Android app an had [email protected] user login to their Amazon account you might get amzn1.account.123456 as a userID, but when that same [email protected] user talks to their paired Echo you'll get a amzn1.account.98765 or any other totally different userId. I actually wasted two days building this architecture which is how I know it doesn't work.

So what does work? A voice-centric variation of Pin authentication seems best.

Let's look at another space of apps with a similar problem: TV apps (xbox, android TV, etc). A lot of those apps require you to login in order to get access to content (e.g. hulu, netflix, etc). But using a remote control to enter a username and password is just plain old bad UX. So what did we do for TV apps? Users go to myService.com/tv, login to their account and get a special short, numerical and time-sensitive pin code they can input to their TV.

When I was implementing an Alexa Skill we decided to take a similar approach. Users would login into our website, iOS app or Android app, go to a dedicated Echo page and then get a pin code. The on-screen instructions that would read something like this:

Go to your Echo and say:

'Launch foo'

'My pin is one two three four'

In our foo skill we have a PairingIntent intent listen to "my pin is {one two three four|pinCode}" sample utterance. After receiving a PairingIntent we'd check if that pin code was valid and if so associated that Alexa userID with our own users DB. If the pin was valid Echo would say something like "Oh, hi there bob! You now have access to all your awesome stuff.". If the pin code wasn't valid alexa would prompt users to try again.

Hopefully this makes sense. There are other options to associate 3rd party accounts with Alexa Skills but this voice-pin approach is the simplest.

Answer 2

I don't know why the original answer has been deleted but Amazon now lets you link an Alexa User with a user in your system. Here's the announcement.

How End Users Set Up Account Linking for a Skill

Users link their accounts using the Amazon Alexa app. Note that users must use the app. There is no support for establishing the link solely by voice.

Users normally start the process when initially enabling your skill in the app:

1. In the Alexa app, the user enables the skill.

2. The app displays your login page right within the app, using the authorization URL you provide when registering your skill on the developer portal. When the companion app calls this URL, it includes state, client_id, and scope as query string parameters.

   • The state is used by the Alexa service during the account linking process. Your page needs to keep track of this value, as you must
     pass it back later.
   • The client_id is defined by you. Your login page can use this to determine that the request came from your Alexa skill.
   • The scope is an optional list of access scopes indicating the level of access requested. You define the set of scopes to support when enabling account linking for your skill.

3. The user logs in using their normal credentials for your site.

4. Your service authenticates the user and then generates an access token that uniquely identifies the user in your system.

5. Your service redirects the user to an Amazon-specific URL and passes along the state, access_token, and token_type in the URL fragment.

6. The Alexa service validates the returned information and then saves the access_token for the Alexa user.

At this point, the skill is enabled, the user’s Alexa account is linked to the account in your service, and the skill is ready to be used.