question

Hi Tim, Thanks for your interest in AVS. We have recently released a sample iOS app that acts as a companion app. It's available here: https://developer.amazon.com/public/solutions/alexa/alexa-voice-service/docs/reference-implementation-guide#Obtaining%20the%20Sample%20App%20Code%20and%20Dependencies. Download the zip and open the iOS sample. I think this might be helpful for you. Yes you must use the redirect_uri that is returned by the SDK via [AIMobileLib getRedirectUri]. It should be of the something like amzn-"YOUR BUNDLE ID"://?methodName=signin. You must transmit this to the device from your mobile app and we use this as part of the handshaking to make sure the physical AVS device securely fetches down an access token.

Thank you for the reply! I have downloaded the app and I ended up using it as my guide to implementing my iOS app. I have indeed using the [AIMobileLib getRedirectUri] call and it executes successfully returning the correct value you described. I do also see that value being passed correctly to my device from the companion app and subsequently being sent correctly to the call to retrieve the access token. Unfortunately, I still run into the same error: invalid grant parameter: redirect_uri.

Hi Tim, I'm glad that you're finding the sample app useful! Can you please provide a sample of the request that you are making that is failing? The only other thing that I can think that would be helpful to check is please confirm that you are using the [AIMobileLib getClientId] to get the clientId that you use to swap out the authorization code for access token? While I await your reply another useful source of reference would be the javaclient in that same zip. You can look at this class: src/com/amazon/alexa/avs/auth/companionapp/OAuth2ClientForPkce.java Which is the "device" to our iOS app. There you can see the LWA requests that we're making to exchange our auth code for access token.

Hi - I am facing exactly the same issue. I am using the following code: let data: [String:String] = [ "grant_type": "authorization_code", "code": authCode, // received from AIMobile.authorizeUserForScope "redirect_uri": AIMobileLib.getRedirectUri(), "client_id": AIMobileLib.getClientId(), "client_secret": "MY CLIENT SECRET" ] Note 1: the getClientId returns the wrong client ID for me too. I also had to hardcode the ID found on the AVS / Register device portal to get to the "Invalid Grant Parameter: redirect_uri" error. Note 2: I know I am using a convoluted way of getting a token since my device is effectively my iPhone but the suggestion to use just "kAIOptionScopeData : scopeData" without "kAIOptionReturnAuthCode: true... etc." does not return anything.

Hi, Thank you for the reply! I was originally using the getClientId on the iOS app to trade for the access token. One question I have though is which client_id I should use, the one for the device, or for the iOS companion app? I currently have it hard coded for the client_id of the device. Here is the post data for my access token request: { "client_id":"DEVICE CLIENT ID", "code":"GENERATED CODE FROM IOS APP", "grant_type":"authorization_code", "redirect_uri":"com.MyCompany.MyProduct://?methodName=signin", "client_secret":"DEVICE CLIENT SECRET" } If I did end up using the iOS app's client ID, wouldn't that be an issue with it mismatching the client_secret? Or should I be using a client secret that is generated for the iOS app? (which if so, I'm not sure where to find)

Also, when I do set it to the client_id returned from getClientId I get the response of: { error_description : Not authorized for requested operation, error : unauthorized_client }

Hi Folks, Regarding which client id to use. You MUST use the client returned from [AIMobileLib getClientId] both for getting the access token on your iOS device and also for your post request on your physical AVS device for exchanging authorization code for an access token. If you are performing authentication in an iOS app please ignore the clientId that you see on the AVS/Register device portal and only use the value from the LoginWithAmazon SDK. Those post requests look incorrect. You do not need to include the client secret. This page ( https://developer.amazon.com/public/solutions/alexa/alexa-voice-service/docs/authorizing-your-alexa-enabled-product-from-an-android-or-ios-mobile-app) has a good example and documents the kind of post request that you must make the get an access token ([i]especially sub step 7 under the iOS section[/i]). For convenience here is a curl request that you can use to get the access token if you replace the required values: curl -k -X POST -H 'Content-Type: application/json' -d '{"grant_type": "authorization_code", "code": “INSERT AUTHORIZATION CODE HERE","redirect_uri”:”INSERT REDIRECT URI HERE FETCHED FROM [AIMobileLib getRedirectUri]", "client_id" : “INSERT CLIENT ID HERE FETCHED FROM [AIMobileLib getClientId]", "code_verifier" : “INSERT CODE VERIFIER HERE"}' ' https://api.amazon.com/auth/O2/token' Please also note that the authorization code is only good for 5 minutes and can only be used once so please make sure that you’re performing the POST within 5 mins of getting your authorization code. Thanks, Ryan V Message was edited by: elstryan@Amazon

Hi Ryan, Thank you for your continued help. I've updated my request and am still running into an error. Here's the post data for my request: { "code":"AUTH CODE", "client_id":"IOS CLIENT ID", "grant_type":"authorization_code", "redirect_uri":"amzn-com.MyCompany.MyProduct://?methodName=signin", "code_verifier":"CODE VERIFIER" } I receive the following response: { error_description : Not authorized for requested operation, error : unauthorized_client } Prior to running the test, I removed my "Login With Amazon" record from my account to guarantee I would receive an entirely new auth code.

Can you check that the code challenge does not have any "=", "+", or "/" characters in it. You can log our the string and code challenge and check this. We explain here why this is necessary for proof key exchange ( https://developer.amazon.com/public/solutions/alexa/alexa-voice-service/docs/authorizing-your-alexa-enabled-product-from-an-android-or-ios-mobile-app)

Running my parameters as specified through your curl yields the same result: {"error_description":"Not authorized for requested operation","error":"unauthorized_client"}