question

Moritz avatar image
Moritz asked ·

Account Linking leads to 401 page

Hi there —

to begin with: I have read many topics here on the forum that at least seemed to have the same issue as I do, but either there was no answer or the answer provided did not help me solve my problem. So here it is: I am trying to connect Azure AD B2C and successfully have the Card in Alexa open start the flow. However, after logging in and being redirected to https://pitangui.amazon.com/api/skill/link/KEY I am just receiving a blank page with a HTTP 401.

If I look at the http requests and the data that is exchanged everything looks good, so I am not sure, what actually is wrong here.

I have decided to use the Auth Code Grant with the following URLs, Settings:

Authorization URI: https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_ALEXA_sign&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fpitangui.amazon.com%2Fapi%2Fskill%2Flink%KEY&response_type=code&response_mode=form_post

Access Token URI: https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_alexa_sign

Client ID/ Secret: Azure B2C App ID / Key

Client Authentication Scheme: HTTP Basic

Scope: openid

Domain List: login.microsoft.com

I can also provide some information on how I set up the App and Policy, but since that works as expected, I don't think that has an issue.

The problem is, that the target url is somewhat a black box given the blank page without any information apart from the http error code. Is there any way I can debug this error further or do you spot any configuration error from what I have set above?

Thanks,

Moritz

alexa skills kitaccount linkingazure
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Moritz avatar image
Moritz answered ·

Hi Roy,

so I finally made it. The tipp regarding the token was brilliant. That way I could narrow it down to the scope not being correct.

So in case anybody comes across the same issue: you need to use the client id as scope value to make it work.

Thanks again,

Moritz

1 comment
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi Moritz,

So glad that you got it working! Thanks for sharing your findings with us too.

0 Likes 0 ·
roy-1 avatar image
roy-1 answered ·

Hi Moritz,

Thanks for posting!

response_type and redirect_uri are both query string parameters that the Alexa App includes when it calls your authorization URI. Try removing them from your Authorization URI so that they aren’t doubled up, and let me know if that helps.

10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Moritz avatar image
Moritz answered ·

Hi Roy,

thanks for your reply. So just to be sure that I got you right — you mean the Auth-URI should look like this: https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_ALEXA_sign&nonce=defaultNonce&response_mode=form_post?

I have tried it that way, get redirected to my Microsoft Policy, login successfully and get redirected to one of the redirect Urls (https://layla.amazon.com/api/skill/link/XXX). This page then responds with a 401 error. What to do now?

10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

roy-1 avatar image
roy-1 answered ·

Hi Moritz,

Would you mind posting the Skill ID so that I may give it a test?

10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Moritz avatar image
Moritz answered ·

Hi Roy,

here's the skill id you've asked for: amzn1.ask.skill.f588f329-6c04-401d-ab17-3604a9b07b92

Thanks,

Moritz

10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

roy-1 avatar image
roy-1 answered ·

Hi Moritz,

I tested your Skill, but was unable to complete account linking with my test account. The account linking page said that my username or id was not recognized. Would you be able to provide me with a set of test credentials?

You can add them under the Testing Instructions section of your Skill within the developer console. The Testing Instructions Field is in the Distribution tab under Privacy & Compliance.

After testing this on my end, I'll be able to provide more details, but I have a couple of suggestions in the mean time.

Firstly, please double-check the redirect uri that is returning to the user includes state and code query string parameters. Additional info can be found here:

https://developer.amazon.com/docs/account-linking/configure-authorization-code-grant.html#redirect-url-values

I also noticed that you have v2.0 set in the Authorization URI in your Skill settings, but I did not see this included in the following Microsoft Documentation:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#request-an-authorization-code

Lastly, I was able to find this resource on Microsoft for troubleshooting account linking with Azure AD using Postman. I hope this helps:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#request-an-authorization-code

10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Moritz avatar image
Moritz answered ·

Hi Roy,

again — thank you so much for your support here!

I have added the test user account as requested and you'll find the credentials in the testing instructions.

Regarding your tipps: I have checked the login Authorization URI again and realized the response_mode was set to "form_post". This means the code is posted back to the URL set in redirect_uri. I have changed that for now to be "query" so that the code is attached to the redirect_uri after successful login. However it still does not work.

Also one important information: we are not using Azure AD to authenticate, but Azure AD B2C which is different. You can find the documentation here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oauth-code

As mentioned in this documentation you can add a state parameter, that is passed back to the redirect_uri as well. So as far as I understood the state as well as both response_type and redirect_uri are added automatically to the url by alexa?

Here's the Authorization URI again how it currently looks like: https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_ALEXA_sign&nonce=defaultNonce&response_mode=query

I have also made a screenshot of the Account Linking form for your reference:

Thanks a lot again!

Moritz


10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

roy-1 avatar image
roy-1 answered ·

Hi Moritz,

Thanks for the additional info. I tried linking the Skill with the credentials you added, and received the "we were unable to link X Skill at this time" message. I took a look in the logs, and it looks like we are receiving the auth code, but when exchanging it for access/refresh tokens from the Access Token URI, there is no token included in the response.

I also noticed on the latest link that you posted that it says "To add identity management to a web app by using Azure AD B2C, use OpenID Connect instead of OAuth 2.0." I'm not sure if that is a suggestion or requirement, but at this time, Account Linking with Alexa Skills follows OAuth 2.0 spec, and does not support OpenID.

10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.