question

Bruce avatar image
Bruce asked

Get id_token from alexa request when account link with cognito

I need ID_TOKEN to access the Cognito Identity pool to implement the "sync user dataset".

At that time when I configured alexa smart skill and Cognito, I found alexa initiated discovery request just with accesstoken. Consult the engineers on the side of Cognito, and they gave me the answer is when filling in the correct authorization request, server will return " accessToken and ID_TOKEN". http://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html)

Then I built a "http proxy" with api gateway between alexa and cognito oauth2.0 serverhttps://developer.amazon.com/blogs/post/TxQN2C04S97C0J/how-to-set-up-amazon-api-gateway-as-a-proxy-to-debug-account-linking) From this "proxy" intercepted information, Cognito does return "id token" and "access token"(see http_proxy.png and alexa_token.png). The problem is alexa seems to have dropped ID token. The following two attachments are information printed from Cloudwatch.

Now the problem is how can i get ID_TOKEN from alexa?

PS, It's strange I cannot upload any pictrue....

Ok, fine... here is the "http_proxy.png"

(474bbe27-72b6-11e7-8c37-470a47616d7a) Endpoint request URI: https://bruceauth.auth.us-east-1.amazoncognito.com/token
(474bbe27-72b6-11e7-8c37-470a47616d7a) Endpoint request headers: {x-amzn-apigateway-api-id=9keqckz09c, CloudFront-Viewer-Country=US, CloudFront-Forwarded-Proto=https, CloudFront-Is-Tablet-Viewer=false, User-Agent=Apache-HttpClient/4.5.x (Java/1.8.0_131), CloudFront-Is-Mobile-Viewer=false, X-Forwarded-Proto=https, CloudFront-Is-SmartTV-Viewer=false, Host=bruceauth.auth.us-east-1.amazoncognito.com, Accept-Encoding=, X-Forwarded-Port=443, X-Amzn-Trace-Id=Root=1-5979c036-1e78f84f794df9e113a84e94, Via=1.1 73388dc3c76783aef93703e1dfb340e2.cloudfront.net (CloudFront), Authorization=********************************************************************************************************MxaTBm, X-Amz-Cf-Id=ucJTNSNhaS07jBMko2Y3ePp33ikO9OU9Gvr-qRV3BH8lpvUH2Fi1SQ==, X-Forwarded-For=72.21.217.133, 54.182.230.67, CloudFront-Is-Desktop-Viewer=true, Content-Type=application/x-www-form-urlencoded}
(474bbe27-72b6-11e7-8c37-470a47616d7a) Endpoint request body after transformations: grant_type=authorization_code&code=508138f6-5110-4479-a2b2-798bf3349c55&redirect_uri=https%3A%2F%2Fpitangui.amazon.com%2Fapi%2Fskill%2Flink%2FM2Y6X5G2WRK0AR&client_id=6raclfd4r92uj78m1hr8rfcrmv
(474bbe27-72b6-11e7-8c37-470a47616d7a) Endpoint response body before transformations: {"id_token":"eyJraWQiOiJZNTVTRUFmMUNDelZrV2tZWE1meGxObHV5aUxWZk95YzhyNHZZbnpwOFZNPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIzMTIzODg4ZS03NmRmLTQ4YjItODdlNC1kN2M5YjY1ZTMyYmEiLCJhdWQiOiI2cmFjbGZkNHI5MnVqNzhtMWhyOHJmY3JtdiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTUwMTE1MTI4NiwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lYXN0LTFfUzVrYnd1U2tOIiwiY29nbml0bzp1c2VybmFtZSI6InJhaW55Y29kZUBob3RtYWlsLmNvbSIsImV4cCI6MTUwMTE1NDg4NiwiaWF0IjoxNTAxMTUxMjg2LCJlbWFpbCI6InJhaW55Y29kZUBob3RtYWlsLmNvbSJ9.A8x_4caJ1XRQotKzB_PmeLLYuuxGfkrE9m4XqZ_I0xVNzIkt-XuM9qoKMGgvdqOPehqtbYCHu_jfGcGYKUAocu6Fh1L9B4BP-DKs8JAuzl3Yse7lw8WQrBDBnIzQlY2MyO6S_revNwueBH7U1yg_Ds9niRVhjfBwHqJvv-e19MpCg2iXE1wurFsG6vhQWbpUnk2t72gheJ415l9bfMRRLTz18lRjlzJPk1jCiRU90zVWj566t2LeDOuclUBzYMxzI48PIVLZXdd3ovkZRZ0BblFnNhno2Y_ATlknQK94PCWAXhnCTGQxQcW6WwFjeYD2HV1ijwda2eaTjs6tSP7cRw","access_token":"eyJraWQiOiI5ZE9NUmRXdG1lQ25vcGZIdkZ6NmtJRHdrSVRkRlRzZEErSWtZYnRBQlNRPSIsImF [TRUNCATED]
account linking
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-88d04704-63d8-4213-b329-46603cc8a4de avatar image
newuser-88d04704-63d8-4213-b329-46603cc8a4de answered

+1

Please help.

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Brian@Amazon avatar image
Brian@Amazon answered

Right now the Alexa accountlinking system doensn't pass through fields that are not described in this flow: https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/linking-an-alexa-user-with-a-user-in-your-system#how-end-users-set-up-account-linking-for-a-skill

Some users have worked around this via setting up API gateways or wrappers for account linking solutions, although I do understand that may not be desirable for your usecase.

2 comments
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

I have read the manual, it should be no way to get ID_token. Can you give me some reference that use API gateway to implement account linking to get id_token? I did not find it . Thank you.

0 Likes 0 ·

@Brian@Amazon can you elaborate more on how to place API gateway between the two systems ? Our project is stuck due to similar issues

0 Likes 0 ·
newuser-21b93a8d-a1a5-4bab-a0db-cfea13bedbca avatar image
newuser-21b93a8d-a1a5-4bab-a0db-cfea13bedbca answered

+1.. This is a blocker if you already have users in Identity Pool.. How can we receive the Identity token in our custom lambda skill ?

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-40bdaa1b-77dc-4ac8-90f6-c6e48dbcab5f avatar image
newuser-40bdaa1b-77dc-4ac8-90f6-c6e48dbcab5f answered

+1. My Alexa skill needs to call the API Gateway. Both are authenticated with Cognito. API Gateway cognito authorizer expects the id_token in the Authentication header. Alexa will only remember the access_token after the account link. All AWS-native services and yet they don't "just work". I guess I will be using Cognito APIs to request the id_token given a valid access_token before I can call the API gateway from the Alexa's lambda. Another alternative is to use the custom authozier on the API gateway but I would rather not handle token validation myself.

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-f51555c4-8fc0-4501-88a2-c1f0e9b4be6f avatar image
newuser-f51555c4-8fc0-4501-88a2-c1f0e9b4be6f answered

This is still happening in Feb 2020. Can't find a proper way around it. Has anyone found one?


Thanks in advance!

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-f51555c4-8fc0-4501-88a2-c1f0e9b4be6f avatar image
newuser-f51555c4-8fc0-4501-88a2-c1f0e9b4be6f answered

Ok as I couldn't find a way to get this working after several days of trying. I just changed the perspective of the problem and made API Gateway to allow using the `access_token` that Alexa sends to authenticate my requests. In each endpoint's method add all the OAuth Authorizers configured in its correspondent App Client's configuration in Cognito.


I hope this helps.

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.