question

Steven R Forman avatar image
Steven R Forman asked

curl AVS authentication

What exact curl commands can be used to automatically get the "code" from a curl re-direct Url? I am able to do this manually in 2 steps according to Miguel Mota's blog entry at: https://miguelmota.com/blog/alexa-voice-service-authentication/ However, surely if cookies and re-directs are enabled, then getting the "code" and "token" should be able to be combined in one shell script. So far, this is my latest unsuccessful attempt which is still replying that cookies need to be enabled. AUTH_URL=" https://www.amazon.com/ap/oa" AUTH_DATA="client_id=${CLIENT_ID}&scope=$(echo $SCOPE | urlencode)&scope_data=$(echo $SCOPE_DATA | urlencode)&response_type=${RESPONSE_TYPE}&redirect_uri=${REDIR ECT_URI}&username=${USERNAME}&password=${PASSWORD}" curl -b /tmp/ cookies.txt -c /tmp/ cookies.txt -v -v -v -L -X POST -d "${AUTH_DATA}" "${AUTH_URL}" I believe I would still need to pass all the hidden values in the form but am not quite sure how to do that. Any other suggestions/modifications that would make this work in one automated script?
alexa voice service
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

swasey@amazon avatar image
swasey@amazon answered
What exactly is the end result of what you're trying to do? If you're just trying to get a refresh_token so you can make requests to AVS whenever you want without having to reauthenticate, then you only need to do this manual process once. refresh_tokens don't expire, so you can exchange a refresh_token for an access_token every hour with CURL in a cron job or something similar. This exchange can be seen on this page under the label "Exchanging the Refresh Token for a New Access Token (Authorization Code Grant Only)". I don't believe what you're trying to do with CURL to authenticate your account is possible, however. There are tokens on the page that need to be submitted as part of the request (to prevent CSRF for example), and I'm sure there are also other protections against automated requests against the Login With Amazon pages. For all intents and purposes you should consider the login and agreement stage of the OAuth Login With Amazon process a manual step. Please let me know if you have further questions and I'll be happy to elaborate.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steven R Forman avatar image
Steven R Forman answered
That makes things quite a bit easier. Now, to those who are watching this thread and want to do something similar in a Linux bash script, my code looks as follows: (Note: I just use "jq" ( https://github.com/stedolan/jq) to parse the JSON response.) #!/bin/bash refresh_token() { CLIENT_ID="amzn1.application-oa2-client.XXXXXXXXXXXXXXXXXXXXX" CLIENT_SECRET="YYYYYYYYYYYYYYYYYYYYYYYYY" # login and get authorization code GRANT_TYPE="refresh_token" REFRESH_TOKEN=$(jq -r '.refresh_token' /tmp/token.json) # get token curl -s -X POST --data "grant_type=${GRANT_TYPE}&refresh_token=${REFRESH_TOKEN}&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}" https://api.amazon.com/auth/o2/token > /tmp/token.json } # if the auth token is older than 1 hour, refresh it find /tmp -mmin -60 | grep -q "token.json" || refresh_token TOKEN=$(jq -r '.access_token' /tmp/token.json) # always use the access_token in request # record audio from mic input for 5 seconds arecord -d 5 test.wav # verify aplay test.wav # send audio curl -s -i \ -H "Authorization: Bearer ${TOKEN}" \ -F "metadata=
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

swasey@amazon avatar image
swasey@amazon answered
Thanks for posting your code, Steven! I'm sure it'll be useful for somebody. To be clear to those reading, the posted code does not answer the initial request of how to get an authorization code from the LWA redirect, but instead answers how to exchange a refresh_token for an access_token and making a simple voice request to AVS. That process is described on this page: https://developer.amazon.com/public/solutions/alexa/alexa-voice-service/docs/authorizing-your-alexa-enabled-product-from-a-website that I forgot to link in my previous post, under the section "Exchanging the Refresh Token for a New Access Token (Authorization Code Grant Only)"
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.