question

Lio2000 avatar image
Lio2000 asked

App to app account linking - invalid scope

Hello,

I tried to use the app to app account linking feature so in order to get an authorization code i used the following url with all the parameter correctly filled : https://www.amazon.com/ap/oa?client_id={ClientId}&scope=alexa::skills:account_linking&response_type=code&redirect_uri={yourRedirectUrl}&state={yourState}

But with the scope : alexa::skills:account_linking i always get an unknow scope was requested and so on.

https://mywebsite/login-lwa?error_description=An+unknown+scope+was+requested&state=link&error=invalid_scope

I tried with "scope=profile" everything work well until point 6 "Enable the skill and complete the account linking" I received 403 Forbidden etc.

I imagine that the the token i receive is not enabled with skill activation and therefore my request is rejected, but i didn't find a way to make "Login with Amazon" work with the alexa::skills:account_linking and in the documentation there is only 3 scopes available.

profile, profile:user_id, postal_codeprofile%20postal_code

As mentioned here :

https://developer.amazon.com/docs/login-with-amazon/requesting-scopes-as-essential-voluntary.html


Thanks a lot for your answers guys :-)


account linking
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Gaetano@Amazon avatar image
Gaetano@Amazon answered

Hi,

thanks for your post.

I understand you are implementing the account linking flow using LWA.

Can you please share the skill-ID and a timestamp of the linking attempt for which you get the invalid_scope error?

Kind regards,
Gaetano

1 comment
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi, I am also facing the same issue.

Skill id is: amzn1.ask.skill.0a015af6-310c-4ce4-8182-6897e1215abc

Can you please me with this?

0 Likes 0 ·
newuser-d8a9cc24-0aed-4e54-a322-8e1159607378 avatar image
newuser-d8a9cc24-0aed-4e54-a322-8e1159607378 answered

@Gaetano@Amazon

I am getting a similar error. My skill ID is:

amzn1.ask.skill.9215ccdc-96c8-449d-85a6-fee9e4d17a58

And time stamp for an attempt is: Wed, 15 Jan 2020 15:19:51 GMT.


If I use 'alexa::skills:account_linking' as a scope I get an invalid scope error.


If I use "profile" as scope I get and error saying that the token is invalid or that I do not have access to make this request. I am pretty sure my token is valid though.


Thanks for your help!

10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-bd4fd406-f012-41c6-bb5a-38db1b53a7cb avatar image
newuser-bd4fd406-f012-41c6-bb5a-38db1b53a7cb answered

I am also facing same issue.

When i used scope alexa::skills:account_linking than i am getting error invalid scope.

Then i change scope to profile and i am able to get accessToken. but when i call api for activate Skill it gives me error The authentication token is invalid or doesn't have access to make this request.

Can you please help me with this issue.

10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-bd4fd406-f012-41c6-bb5a-38db1b53a7cb avatar image
newuser-bd4fd406-f012-41c6-bb5a-38db1b53a7cb answered
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-184bbbca-52e2-4a0e-a408-ad19ff4efa5c avatar image
newuser-184bbbca-52e2-4a0e-a408-ad19ff4efa5c answered

This took me a long time of trials and errors to figure out. What worked for me is to make sure that you're using the Alexa client ID when requesting the auth code from LWA. If you use the LWA security profile client ID, only the three profile scopes are allowed.

After you get the auth code, you need to request the access token with the same Alexa client id and secret, otherwise it will return an invalid code error.

Then - and this is the part I'd like to find a better solution to - you need to request another authorization code from LWA with the LWA security profile client id (NOT alexa like earlier). Only this auth code and the access token from previously will be able to call the enable alexa skills request successfully. I recommend using a client like Postman to make it easier to test these requests.


I'm still looking for solution or workaround to not have the user sign in twice (for the two auth codes). If anyone knows a solution please let me know.

2 comments
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi,

Would you please share the POST request detail that you use to link and enable the skill?

I am getting the "website temporarily unavailable" in the response. Below is my post request

POST api.amazonalexa.com/api/v1/users/~current/skills/amzn1.ask.skill.747xxxxx/enablement HTTP/1.1
Header:
Authorization: bearer Atza%7CIwEBINojVdQdXPWMujb9-xxxxx
Content-type: application/json
Body
{
"stage": "skill stage",
"accountLinkRequest": {
"redirectUri": "https://b1afad690bb4.test.io/callback/alexa",
"authCode": "ANRZxxxxx",
"type": "AUTH_CODE"
}

0 Likes 0 ·

Hi NewUser-184bbbca-52e2-4a0e-a408-ad19ff4efa5c ,

Thanks for comments , I tried the same and it worked perfectly fine.

but did you get a chance to check , how we can avoid 2nd login to get auth code again.

or, how we can get auth code for LWA profile with any LWA API call ?


Thanks for help.

0 Likes 0 ·
newuser-592c6ff8-5ca2-4fe7-a380-34dac86e739c avatar image
newuser-592c6ff8-5ca2-4fe7-a380-34dac86e739c answered

Please use the client id and clien secrect in below yellow circle to request a token.

The Get URI will look like this.

https://www.amazon.com/ap/oa?client_id=amzn1.application-oa2-client.88xxxxx&response_type=code&scope=alexa::skills:account_linking&redirect_uri=https://b1afad690bb4.test.io/callback/alexa&state=72178714-4ca2-4dd3-a9da-95aea71d3831&access_type=online

client_id: below the yellow circle

redirect_uri: your web site where you want to handle the link

state: your state



1595893554977.png (85.0 KiB)
1595894659922.png (74.0 KiB)
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-a08506f3-1a02-474b-b918-4ab935d01fac avatar image
newuser-a08506f3-1a02-474b-b918-4ab935d01fac answered

I am trying to enable the skill for my account dewijones92@gmail.com


I am doing what is says here: https://forums.developer.amazon.com/questions/219022/app-to-app-account-linking-invalid-scope.html

"This took me a long time of trials and errors to figure out. What worked for me is to make sure that you're using the Alexa client ID when requesting the auth code from LWA. If you use the LWA security profile client ID, only the three profile scopes are allowed.

After you get the auth code, you need to request the access token with the same Alexa client id and secret, otherwise it will return an invalid code error.

Then - and this is the part I'd like to find a better solution to - you need to request another authorization code from LWA with the LWA security profile client id (NOT alexa like earlier). Only this auth code and the access token from previously will be able to call the enable alexa skills request successfully. I recommend using a client like Postman to make it easier to test these requests."


I am still getting error and the user is still unable to enable the skill from their Android device. Please help. Many thanks

Here are my logs:
https://pastebin.pl/view/df406573


Many thanks

1 comment
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi,

please file a contact us here where we will be able to assist further.

We would need the following info:

- Skill ID
- Test credentials for the account linking process
- Timestamp of the error

Regards,
Gaetano

0 Likes 0 ·
Geet Sarphare avatar image
Geet Sarphare answered

1. Retrieve an access token by using the alexa::skills:account_linking scope with the Alexa Client ID client profile (not-editable one)
2. Call LWA with the other client ID (editable one) to retrieve the authorization code with another scope (such as "profile")
3. Use the access token from step 1 and authorization code in step 2 to call the Skill Activation API as per the documentation below:
https://developer.amazon.com/en-US/docs/alexa/account-linking/skill-activation-api.html#enable-and-link

In other words, the access token you have retrieve is not used until you call the Skill Activation API in step 3 above - you will need to call LWA twice with separate client IDs and scopes, then use the access token (with alexa::skills:account_linking scope) and the second authorization code with the Skill Activation API. The first access token is not used in retrieving the authorization code used in step 2.

10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.