question

zeroSteiner avatar image
zeroSteiner asked

Alexa BearerToken Changes

I'm developing a smart home skill and using LWA for the account linking. I respond to the Alexa.Authorization AcceptGrant directive successfully after getting an access token from LWA. At this point I store the access and refresh tokens issued by LWA, associating it with the BearerToken from grantee section of the same request based on this documentation. Afterwards I can use the access token just fine by looking up the BearerToken from the endpoint.scope.token section of the Alexa directive.


While this works for a while (I can post events using the access token), at some point the Alexa directives start using a new BearerToken value for the same user in the endpoint.scope.token section at which point I can't associate them with an access token previously issued from LWA.


My question is how should I be tracking when the BearerToken in endpoint.scope.token changes? I can't seem to find any documentation or mention of when it rotates and how I'm supposed to track it or how I'm supposed to associate the requests with an access token once this value has changed.


Thanks!

alexa smart homeaccount linkinglogin with amazon
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

Amazon_Bernardo Bezerra avatar image
Amazon_Bernardo Bezerra answered

Hi @zeroSteiner and thanks for your message.

The BearerToken from that comes in the AcceptGrant message is intended to be used against the OAuth provider, in your case, the LWA. With it, you can retrieve unique information for the user that just authenticated. The information you have access to will depend on the scope that you used in the authorization URI, such as the userID (which is different from the userID from custom skills). More information about the available scopes can be found here. This page explains how you can retrieve the user information with the provided BearerToken.

As with other access tokens, the BearerToken has a limited lifetime due to security reasons and a new one gets generated usually after 60 minutes.

In summary, the BearerToken is not the most appropriate identifier. But you can use it to retrieve unique information, such as the userID which you can then set as key and store the access token and refresh token under it.

Regards,
Barry

3 comments
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

So with the BearerToken from the `grantee.token` field of the AcceptGrant directive from Alexa I can issue an access token. When I try to use my access token to retrieve profile information to access the `userID` filed to store the access token, I get an error that the scope is invalid.


You mention something about the scopes, I've tried to add `scope=profile` when issuing the access token and I have `profile` listed as a scope under the Account Linking section of the skill in the Alexa Developer console and neither seem to be sufficient to get the profile information when processing the AcceptGrant directive.


It looks like when other directives come in after the AcceptGrant, that the BearerToken can be used with LWA to pull the profile information and the user ID.

0 Likes 0 ·

The issue I had was I mixed up the `grant.code` and `grantee.token` values. In the AcceptGrant directive, use the `grant.code` to issue an access token, and then use the `grantee.token` to access the profile information from LWA. Future BearerTokens from Alexa can also be used to access the profile information, allowing you to use the profile.user_id value to correlate stored access tokens.

1 Like 1 ·

Hello @zeroSteiner and thank you for letting us know that you managed to solve your issue.

Regards,
Barry

0 Likes 0 ·