question

newuser-3bb725c6-8af8-4c86-a718-2f8d79f682d9 avatar image

Refresh token from cognito not being refreshed

We currently have users experiecing issues with our Smart Home Alexa skill due to what we believe is an issue where Alexa is not refreshing the refresh token provided when account linking via cognito. Account linking works succesfully and users have no issues until after the length of the refresh token, at that point the skill remains enabled but no actions work and devices show as "Server is unresponsive." The access token legnth is 60 minutes and the Refresh token length is 30 days.

alexa smart homeaccount linking
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Tsuneki@Amazon avatar image
Tsuneki@Amazon answered

Hi there,

Thanks for posting.

Could you share your skill ID for further investigation?

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-3bb725c6-8af8-4c86-a718-2f8d79f682d9 avatar image
newuser-3bb725c6-8af8-4c86-a718-2f8d79f682d9 answered

Hello, the skill ID for the skill in question is: amzn1.ask.skill.90cb3310-80e5-459f-96f2-822e34233398

The settings within this skill for authentication, such as Access Token URI, are set to exactly what Cognitio provides with no changes. I'm starting to think maybe some of the Account Linking settings within the skill are not set up correctly which is not letting the refresh token be refreshed with each access token.

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Tsuneki@Amazon avatar image
Tsuneki@Amazon answered

Hi there,

Apologies for delayed response.

Could you please share timestamp of the issue to checking our log?

1 comment
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Just checking in to see if there has been any updates with this issue. I'll take this opportunity to provide some additional detail about the problem. We have several skills experiencing the issue described above, one with the ID of: amzn1.ask.skill.90cb3310-80e5-459f-96f2-822e34233398. Our skill is set up to use Authorization code grant for account linking. We are using Amazon Cognito as our OAuth provider. Expiration of our access tokens are 60 minutes and refresh tokens expire after 90 days. Currently users are able to successfully link their accounts and utilize the skill without issue. After the access tokens expires (60 minutes) a new access token is retrieved using the refresh token successfully. The issue comes in after the expiration date of the refresh token received from the initial account linking, no further Alexa requests work after this time. The only solution is to disable and re-enable the Alexa skill. We assume this causes Alexa to once again store the new refresh token that is returned from account linking and operations resume as normal, until this new refresh token expires. We do not want users to be required to re-enable their skills to get a new refresh token.

Does Alexa only support non-expiring refresh tokens? If not, what steps should we follow to update the refresh token?

0 Likes 0 ·
newuser-3bb725c6-8af8-4c86-a718-2f8d79f682d9 avatar image
newuser-3bb725c6-8af8-4c86-a718-2f8d79f682d9 answered

Sure. This issue was first discovered on March 26th. At 12:14pm EST there was an attempt made to control a device that did not work. That attempt did not make it to our lambda function. Another attempt was made at around 4:40pm EST or so to perform a discovery that also failed and never made it to lambda.

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-3bb725c6-8af8-4c86-a718-2f8d79f682d9 avatar image
newuser-3bb725c6-8af8-4c86-a718-2f8d79f682d9 answered

Bumping in hopes to have this question re opened. It's been three weeks since the last response.

1 comment
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

My apologies for delayed response.

We were looking into your issue and we found in the log that we are hitting the 3p and the response received is either null or "access_token" is not present. Could you check the response sent in that time frame?

2018/04/23 14:35:17.664

0 Likes 0 ·
Ikkysleepy avatar image
Ikkysleepy answered

This issue can be tracked back since the inception of Alexa and it has not been fixed. I have tracked back the issue to maybe being related to the use of the skill... so linked skills with no use for several days at a time fail to get a refresh token. I have lost hope that this issue would be fixed last year. Looks like I was correct and this issue still happens. The interim solution is to change the refresh and timeout for a year, which defeats the purpose of using oauth2 ... having said that I’ll be updating it for 2 years because people who use skills get really annoyed with this problem.

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Bluefox avatar image
Bluefox answered

I am facing the same issue with Skill amzn1.ask.skill.8c1d718c-6d06-4db9-b6a3-ead7562b9780. I use cognito as OAuth for Alexa Skill and by 1% from ca. 1000 users have the same problem, that only unlink/link of the skill helps to restore the communication.

I switched to Cognito from my own OAuth server in hope to solve the problem. Because on my own OAuth service I have seen the same problem. But there I could see what happens and I saw that Alexa service came with expired refresh token and was rejected.

Cognito has default settings 60min (access), 30 days (refresh).

Please help.

6 comments
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

I am one of the impacted users Bluefox mentioned above. Only with the great help in the ioBroker forum, I eventually figured out where to look and how to address the issue for me. Obviously, a permanent solution is needed for reliability reasons.

1 Like 1 ·

Same problem here. Please fix this issue asap.

0 Likes 0 ·

Amazon help to close Or fix the Problem fast


0 Likes 0 ·

I get the same problem again. Right after a month i had to deactivate and reactivate the Skill.

This must be fixed very soon, otherwise i will be thinking about using the Alexa stuff any longer,sell all Alexas and switching to other devices like google home and give that a try...

As long as the problem isn't solved im not going to buy any other Alexa stuff!

If you need my help, tell me what to do to investigate the problem.

regards

Tom

0 Likes 0 ·

I also run in this problem. On 29.1 and now 1.3 i need to deaktivate the skill and aktivate it again. Very annoying....please fix it amazon

0 Likes 0 ·

6 weeks and no solution - ist this the amazon reaction time?

0 Likes 0 ·
Francisco Rivas avatar image
Francisco Rivas answered

Hello @Tsuneki@Amazon I am experiencing the same issue.

Account Linking works properly however after 10 minutes seems that Alexa has not refreshed the access token, so I have to disable the Skill and enable it and do the AL again.

I have performed the steps manually using Postman and I can see the server is providing the access token and refresh token as follows:


{

"access_token": "ZDk4MmZhY2Q3....",

"expires_in": 600,

"token_type": "bearer",

"scope": "ROLE",

"refresh_token": "MDVjZDc5NDU....."

}


Then I wait for 10 minutes and send a request using that refresh token with the following included in the body of the request, as such:

{

"grant_type": "refresh_token",

"refresh_token": "MDVjZDc5NDU2N2I2......"

}


Then I get:


{

"access_token": "NzZlMDdmO.......",

"expires_in": 600,

"token_type": "bearer",

"scope": "ROLE",

"refresh_token": "MjA2ZjM2ODMzYTU......."

}


Which I understand is what Alexa expects. My question is why is not Alexa refreshing the access token?. I am using an in-house OAuth2 server and I do not have access to the logs to check at least if Alexa is sending the request and is probably the server that does not know how to handle that request. I am using Auth Code Grant.


I tried setting up the debugger as per: https://developer.amazon.com/blogs/post/TxQN2C04S97C0J/How-to-Set-up-Amazon-API-Gateway-as-a-Proxy-to-Debug-Account-Linking


but I get an error from the server:

{

"error": "access_denied",

"error_description": "OAuth2 authentication required"

}


so I discarded that way of debugging.


Any help would be really appreciated.

Thank you very much in advanced


10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.