question

I am reading here: http://blog.enree.co/2015/12/salesforce-amazon-echo-integrate-alexa.html and I read: "unfortunately when linking accounts Amazon's Alexa Skills page doesn't sends to the login page the redirect_uri parameter that is mandatory for successfull Salesforce OAuth process completion." Uh, what? Why?

Have I completely misunderstood Account Linking? If the flow went: 1.) user enables my skill 2.) Amazon's Alexa app takes them to login.salesforce.com 3.) user logs into SalesForce 4.) SalesForce redirects them to Amazon Then how I would get the SalesForce Oauth token that I need to make further queries against SalesForce? Does Amazon send all that info to me?

I tried to change my Oauth flow so that user's go straight to SalesForce. I logged into the Amazon Developer portal and I updated the Authorization URL so that it points here: https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=3MVG9uudbyLbNPZNnGOL26NHJACYEWqeB_IMxBQ&redirect_uri=https%3A%2F%2Fpitangui.amazon.com%2Fspa%2Fskill%2Faccount-linking-status.html%3FvendorId=M241O7F Now when I take my iPhone and open the Alexa app and try to enable my skill, I get this error: error=invalid_client_id&error_description=client%20identifier%20invalid However, I have triple checked the client_id, and I know it is correct. So I wonder, would Amazon strip it off before going to SalesForce? (Note: the client_id is obfuscated here, but the one in real use is something I have checked several times.)

So, I think I forgot to properly URL-Encode the "?". So I fixed that. And now I can copy and paste the URL to my browser, which gets me redirected to here: https://pitangui.amazon.com/spa/skill/account-linking-status.html?success=false if I am already logged into SalesForce. But in the Alexa app I continue to get the same error as before. I wonder if the error is cached?

Okay, logged out of SalesForce. Again, copy-and-pasting the login.salesforce.com URL, I was able to get things to work in the web browser, but not in the Alexa app.

@NickG -- At a very high level, could you summarize what the Oauth flow should look like? I have tried these various patterns: 1.) My Alexa skill Authorization URL points to my server 2.) I redirect to SalesForce 3.) After auth, SalesForce redirects back to my server 4.) I redirect to the URL that Amazon gives me as the redirect URL for my skill That didn't work so I tried: 1.) My Alexa skill Authorization URL points to SalesForce 2.) After auth, SalesForce redirects back to my server 3.) I redirect to the URL that Amazon gives me as the redirect URL for my skill That didn't work, so finally I tried: 1.) My Alexa skill Authorization URL points to SalesForce.com 2.) After auth, SalesForce redirects back to the URL that Amazon gives me as the redirect URL for my skill This last one was a mystery to me, as I was not clear how I could harvest the Oauth tokens that SalesForce might send me. I thought maybe Amazon would just forward to me any parameters it picked up from SalesForce. At a very high level, which of these patterns is suppose to work? At what point am I suppose to get the Oauth tokens from SalesForce? If I am not allowed to send them the redirect_uri for my server, I have no way for them to send me Oauth tokens. But I take it, from what you've written, I am not suppose to redirect a user back to Amazon after they authenticate at SalesForce.com. about this: "Thus, what you'd want to do is a proxy page in a sense, as the later link you posted described. That way, Amazon is not holding the actual access token which would give someone access to the third party service." Does the proxy page have to be on SalesForce.com? Is there any way I can build the proxy page on my own server at SalesVoiceApp.com? If Amazon insists that I have to build the proxy page on SalesForce.com, I will do it, but that means working with Apex, which is a technology that I know nothing about. In other words, that would be a tremendous hassle. It would be easier if I can build the proxy page on my own server, using technology of my own choosing. But I can not figure out an Oauth flow that allows me to do this. Based on all that has been said so far, I'm guessing I'll have to build this proxy page on SalesForce.com. But that means I'll have to learn a new technology, and so I don't want to dive into that work until I've been told that I truly have no other options.

NickG@Amazon -- Any follow up on this?

At a very high level, your first design pattern is essentially correct, and is generally what we suggest developers use when linking to third party OAuth providers. Is this the flow that causes the 404 error on redirecting back to Amazon?

NickG@Amazon -- "Is this the flow that causes the 404 error on redirecting back to Amazon?" Yes, when I follow that pattern, then in the Alexa app I see: Not Found The requested URL /&redirect_uri= https://alexa.salesvoiceapp.com/auth-callback was not found on this server And here: http://blog.enree.co/2015/12/salesforce-amazon-echo-integrate-alexa.html I read: "unfortunately when linking accounts Amazon's Alexa Skills page doesn't sends to the login page the redirect_uri parameter that is mandatory for successfull Salesforce OAuth process completion." and then in response to this you wrote: "I'm looking into this as a result of this and another thread on the forums. I've been able to reproduce the behavior, but I'm looking into it to see if it is the intended behavior or not. " So I'm wondering if you have any follow-up on that? Is this intended behavior or not?