question

newuser-df00a8bc-0b1d-48df-90fc-24d3ddc2a0e4 avatar image

Can Alexa return the access token in the header instead of the body?

The web service that I am trying to develop a custom skill for, expects the token in the header in this format:

Authorization: Bearer api_token

Can Alexa retrun the accessToken in the above format in the header instead of sending it in the body as a nested JSON?

alexa skills kit
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Brian@Amazon avatar image
Brian@Amazon answered

At this time, this isn't possible.

Edit: I inverted the request above, and gave the opposite response. I've verified that it sends in header not body, and I'm not sure why it would send in body. It's not possible to send in the body.

10 comments
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

The OAuth2.0 requires the token to be sent in the header. Please see: https://tools.ietf.org/html/rfc6750#section-2.1

I thought Alexa was compliant wit OAuth2.0. It looks like a bug that the token is being sent in this non-standard format in the body. Until this bug is fixed, services that implement OAuth 2.0 and expect the token to be sent in the header (Authorization: Bearer api_token) cannot interoperate with Alexa. If there is a workaround, please let me know. I appreciate your help in resolving this. Thanks.

0 Likes 0 ·
Brian@Amazon avatar image Brian@Amazon ♦ newuser-df00a8bc-0b1d-48df-90fc-24d3ddc2a0e4 ·

Let me investigate further. I misread your original post. I believe that the access token is in the header, I thought you were asking about the body...

In the interim I believe you could invert them using AWS API Gateway.

I've verified that in fact it is in the header. Are you getting it in the body? If you are, please provide a screenshot of chrome or firefox debug console with that content.

0 Likes 0 ·

Thanks for looking into this Brian. I have attached the screenshot of the test request from Alexa below. As can be seen, the access token is in the body

In order to capture what Alexa was sending in the header, I directed the request to requestbin - and have attached that snapshot below, as well. As can be seen, there is no "Authorization: Bearer api_token" in the header. The access token is only present in the body.

requestbin.png

0 Likes 0 ·
service-request.png (28.3 KiB)
requestbin.png (97.3 KiB)
Show more comments
Show more comments
Brian@Amazon avatar image Brian@Amazon ♦ newuser-2518d85f-9c7f-4877-90a4-09d2b843f6d1 ·

Not at this time.

0 Likes 0 ·

ist there an update yet?

0 Likes 0 ·
newuser-df00a8bc-0b1d-48df-90fc-24d3ddc2a0e4 avatar image
newuser-df00a8bc-0b1d-48df-90fc-24d3ddc2a0e4 answered

Thanks Brian. This is currently blocking the integration of my web app with Alexa - and would be great if it can be supported in the near future.

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-df00a8bc-0b1d-48df-90fc-24d3ddc2a0e4 avatar image
newuser-df00a8bc-0b1d-48df-90fc-24d3ddc2a0e4 answered

I was looking through the forum and came across a lambda proxy example (https://forums.developer.amazon.com/questions/8155/how-to-use-aws-lambda-as-a-proxy-for-non-ssl-serve.html)

Can a lambda proxy be used as an intermediary between Alexa and my web app to solve this problem? Alexa would need to send the request to the proxy. The proxy would extract the token from the body and place it in the header in the format "Authorization: Bearer api_token" and send the request to my web app. The web app would respond back to to the proxy, which sends the response to Alexa.

Would the above work? If so, can I get help in creating this lambda proxy? It will be great if Amazon can make such a lambda proxy available - since it might help a lot of other applications that expect token in the header.

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Kavanagh avatar image
David Kavanagh answered

I used Seb's proxy from this post where I added a request header to the token call.

https://developer.amazon.com/blogs/post/TxQN2C04S97C0J/How-to-Set-up-Amazon-API-Gateway-as-a-Proxy-to-Debug-Account-Linking

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.