question

John Schettino avatar image
John Schettino asked

Authenticated User Data?

This is a post branch from the local access topic How do we get authenticated user data (potentially sensitive) into our apps, for the current user? Assume we have a way of storing it (using whatever means - we host our own service, or use a supported store with a Lambda function) - we can persist data for each unique UserID we see, but there isn't a way to find a UserID given say the User's Echo account? Or is there? Could we have a web presence where the user authenticates with Amazon (oauth?) and that gives us a grant to look up their "echo app" user id? Is this making any sense?
alexa skills kitdebugging
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Anil avatar image
Anil answered
Hi John, It sounds like your trying to figure out how to link a user who's using both an Alexa voice app, and a web app/site. Is that right? One option would be to provide new user's with a verification code in the Alexa app. They would use this code when accessing the web site, which would link the two accounts together. Just a thought, it works for me. Cheers, Anil
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

John Schettino avatar image
John Schettino answered
> One option would be to provide new user's with a > verification code in the Alexa app. They would use > this code when accessing the web site, which would > link the two accounts together. Yep, that would work. It would show up in their feed/card view as well - could include a URL. Still kinda icky, but it would work. So the flow for stuff like Home Automation where the user has to do an oauth interaction is * I write app, Amazon approves it. * user discovers app :) and installs it * user executes app * app determines this userid is "new" - or if not new, until the user does the config, unconfigured * "Please visit and use code XYZZY to configure access to your whatzit devices! - you can open the Echo app on your phone and click the link in the card for this message." * once user has done that, when then launch the app, it looks them up and finds the REST endpoint, or whatever other additional info was needed from the user, and proceeds to work as expected. Seems plausible.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Jay Martin avatar image
Jay Martin answered
I'm not really following the logic here: somehow, my web service (app) needs to know the user id that will be passed through from Alexa so that I can do the right thing based on that ID. How does providing some random code accomplish that? Maybe I just don't understand the process well enough because I don't have an Echo nor the Echo app. Can someone walk me through the steps in a bit more detail?
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Greg Laabs avatar image
Greg Laabs answered
There are two answers here: 1. A UserID is sent with every Alexa request, so you CAN uniquely identify each user. 2. The ability to link a user's account is not currently supported. There are tons of hacky ways you could do this of course, but there's no official support yet. This is very likely (just my opinion) to be added in the future, as it is necessary even for ASK services they have advertised in their recent email.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

John Schettino avatar image
John Schettino answered
> I'm not really following the logic here: somehow, my > web service (app) needs to know the user id that will > be passed through from Alexa so that I can do the > right thing based on that ID. How does providing some > random code accomplish that? Maybe I just don't > understand the process well enough because I don't > have an Echo nor the Echo app. Can someone walk me > through the steps in a bit more detail? I think the idea is you get a unique user id (which is always the same for the same user) for a session. Assuming you have a data store somewhere where you keep records such as {userid, key, {metadata your app needs for this user} } the ASK app (gag) logic for each intent handler is something like metadata = finduser(userid) if (metadata == null) { key = getkey(userid); response = "Hi new user! Please visit http://mycoolsite.com and register with the key: " + key; end session with that response } else { // use the metadata for the user! } so... pretty much for each intent you validate the userid/look up metadata and barf the register message until the user does it on your coolsite - which is a web front end to whatever repository keeps that database of user records Messy.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

N. Fradkin avatar image
N. Fradkin answered
> I'm not really following the logic here: somehow, my > web service (app) needs to know the user id that will > be passed through from Alexa so that I can do the > right thing based on that ID. How does providing some > random code accomplish that? Maybe I just don't > understand the process well enough because I don't > have an Echo nor the Echo app. Can someone walk me > through the steps in a bit more detail? The random code is just a method of authentication used to authenticate when registering the Alexa with whatever sort of user account you have on your app. Let say for example I've got a an online app where users log in and there is some data associated with each user. The user data is going to be needed to handle requests from Alexa. Obviously having Alexa prompt you for a username and password for each request would be terrible. So you'd want to be able to authenticate once and have your app then store the generated user ID so that for future requests the app can know which user it is by that associated ID. That means then we need to implement some kind of one time registration that involves some sort of authentication. That's where this random code comes in. An example of this process might be, you go to the website the app connects to and log in normally. Somewhere in the sites menu there is a "register an Echo" button. Clicking that generates a temporary one time code which is displayed to you along with instructions like "say to you Alexa "tell myApp to register". That request goes to the code that handles Alexa requests on the website, it looks up in its database the passed in userID and see that it doesn't exist yet so it then prompts the user "please say the code you received from the website". You speak back the code. Now the website processes the request with the code, looks up the code in it's database, gets the user account that generated the code, and associates the account with the user ID (perhaps after one more prompt asking some thing like "Please confirm that you are [name from account]"). A simple one time registration, and you don't even need to speak your login credentials to Alexa.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Matt Kruse avatar image
Matt Kruse answered
> you don't even need to speak your login credentials to Alexa In fact, it's against Amazon's rules to even ask for private information through voice prompts. Your only option is to use a web site and link the requests together.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Kevin Devine avatar image
Kevin Devine answered
Can't we use the Echo App ( echo.amazon.com) to provide this information? I am trying to figure out how to make a skill that connects to an OAuth2 web service (like Toodledo or Wunderlist). Could I create something that puts this in the Echo App somehow (like a username or some token that is then looked up on the local DB (whatever it is called) on Amazon Lambda?)
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

The Stig avatar image
The Stig answered
Yep. Amazon won't approve your app if they see this in the code.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.