question

Michael avatar image
Michael asked

How to do log-out or invalidate auth_token in Alexa skill or card?

Hi,

I'm finding good information about Account linking, and how it works, etc. So that is o.k. What I did not found and need help:

How can I log-out a user via Alexa?

* of cause the simplest is to provide and "log-out indent", and if there is no other way I will do so, but

since it is not convenient to provide kind of menu with voice feedback, the user does not know that there is a log-out indent. with visual interfaces that is easy with a preference menu, etc.

so that most user friendly option, would be to provide one of these two options:

a) providing some customizable link, e.g. in the welcome card in Alexa App, if the user presses it, he get logged-out

b) if Amazon could provide some link in Skill config to provide some standard way to allow user to log-out of account and delete auth_token.

c) well, as I understood, if a user logs-out of Alexa App, that auth_token get invalidated on Amazon side, BUT they are get not invalidated on my side, because of missing notification, to what I understood. So if a token was leaked, I'm not aware of it and can't deleted it from user account. Well I can of cause provide a token management page, like Google does it, but a user must be more aware of it, and that can't be the user friendly solution that is wanted long term.

Well, but of cause, maybe I miss something, if so, please tell me!

Thank you all!

Michael

alexa skills kitaccount linking
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Brian@Amazon avatar image
Brian@Amazon answered

At present the user needs to disable and then re-enable the skill.

4 comments
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Did anything change till now? Or is this still not possible?

0 Likes 0 ·

This is still the case.

0 Likes 0 ·

Hi Brian, I'm having this issue, but when I unlink the "Neato Robotics" skill and then add the skill back again, it autologins to the old account, I need to login to a different Neato account, but I can't do that because it appears it's caching the auth token.

0 Likes 0 ·
Show more comments
Michael avatar image
Michael answered

Hi Brian,

thank you for your quick answer. Can I get some notification that the skill was disabled?

if not, the token is still marked as valid in my domain.

In case you are in charge of the design, please consider my request for future improvements, since the usability w.r.t. to security could be improved and security awareness raised, if some "symetric" counterpart to a login procedure could be provided.

Best Regards

Michael

1 comment
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

This makes sense. We do delete the tokens from our db upon the user disabling the skill, but I see your point. This is something we've heard before, and we're always working to improve the developer experience.

0 Likes 0 ·
Patrizia avatar image
Patrizia answered

Hi,
this post is now 1,5 years old. I also searched for a logout endpoint to invalidate an auth token, but could not find any information on this.
@Brian@Amazon Does this feature now exist?
Thanks in advance,
Patrizia

1 comment
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Nope, it doesn't exist. The only way to invalidate access token is to disable the skill. If you think this is an important feature you can create it or find an existing one at uservoice alexa.

1 Like 1 ·