question

Lawrence Krubner avatar image
Lawrence Krubner asked

When doing Account Linking, and redirecting to Amazon, do I use a 303 code?

We are trying to finish our submission for our Alexa skill. Right now I am working on Account Linking. If I look here: https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/linking-an-alexa-user-with-a-user-in-your-system I see some fairly good information: "Your service redirects the user to an Amazon-specific URL and passes along the state, access_token, and token_type in the URL fragment." ... state is used internally by the Alexa service to track the account linking process. Your page must pass this value back (unchanged) when calling the redirect URL. This value expires after five minutes. If it takes more than five minutes for the user to log in and for your service to redirect the user, the state becomes invalid and the account linking process fails. In this case, the user must start over by clicking the link in the Alexa app. ... For example, the redirect URL might look like this: https://pitangui.amazon.com/spa/skill/account-linking-status.html?vendorId=AAAAAAAAAAAAAA#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA&token_type=Bearer ... "Enabling account linking displays your Redirect URL. This is the URL to which your login page must redirect the user after they are authenticated. Pass along the state, access_token, and token_type values in the URL fragment." ------------------ ------------------ However, I can not find any details about the redirect itself. Am I sending a 303 HTTP status code? What is Amazon expecting?
alexa skills kitsubmission testing certification
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A avatar image
Steve A answered
Lawrence, I don't think Amazon is expecting any particular status code. (I don't think I set one, come to think of it.) They are expecting your program to send a request of just the form you highlighted above. You'll have generated and stored an access token for the user, and plugged that in the access_token parameter in the URL (along with the state parameter which you receive from then when the user links their account.) Perhaps I missing your question, here...but that's all you have to do. You seem like you're on the track! Steve
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Lawrence Krubner avatar image
Lawrence Krubner answered
@Steven Arkonovich -- "They are expecting your program to send a request of just the form you highlighted above" Thank you for the reply. So, this is a POST request? As if I am submitting a form? I never would have guessed that from the phrase "redirect URL". By the way, about this here: https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/linking-an-alexa-user-with-a-user-in-your-system "It must keep track of the state value passed in the query string." What is the "state"? Why do I need to track it? My scenario involves: 1.) user types username and password into a form 2.) I generate an access token for this user and then use the "redirect URL" I don't see what "state" I would be tracking, since the access_token is a separate item. My register form is here: https://alexa.salesvoiceapp.com/register I don't yet have it working, obviously.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A avatar image
Steve A answered
Lawrence, You're almost there. When the user enables the skill with account linking, they are taken to your account linking page -- the one where, in your case, they are entering their username and password. Amazon will pass a "state" parameter in the URI when it directs them to your account linking page. You have to keep track of that, and pass it along unmodified, in the redirect URL. So, a typical flow goes like this: 1. User enables skill. 2. User is taken to your account linking page. In the URI taking them there will be a state parameter. So, in your case the URI would be something like https://alexa.salesvoiceapp.com/register?client_id=xxxxxx&state=xyz etc. 3. User submits the form with whatever information you need from them. 4. On your end you grab the state parameter (and do whatever you're going to do with the username and password) and generate/store an access_token for the user. You'll need to verify future requests from the user by making sure the access token present in those future requests matches the one you have stored. 5. Finally, you redirect to your Redirect URL, including (among other things) the state parameter and the access token. That's the example they gave: https://pitangui.amazon.com/spa/skill/account-linking-status.html? vendorId=AAAAAAAAAAAAAA#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA&token_type=Bearer You need to track the state to guarantee that the request you're sending to the redirect url originally came from Amazon before Amazon will store the access token you generated. Steve
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Lawrence Krubner avatar image
Lawrence Krubner answered
@Steven Arkonovich -- again, thank you much. Regarding the Redirect URL, I'm still wondering if this is a POST or a GET? And what HTTP status code am I suppose to send? 200 or 303?
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A avatar image
Steve A answered
I believe 303. (But if that doesn't work, try something else!) Steve
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Lawrence Krubner avatar image
Lawrence Krubner answered
Hmmm, Okay. So I tried a GET to the Redirect URL, and I got: "\n\n\n\n\n \n \n \n \n \n\n\n\n \n \n\n\n \n\n \n\n\n\n\n\n \n\n\n \n\n\n\n\n\n \n\n\n \n \n\n \n \n \n\n\n\n\n\n \n\n\n \n \n\n \n\n \n\n\n\n\n \n\n \n\n \n\n \n\n
\n \n
\n\n
\n\n
\n \n \n
\n\n
\n
\n
\n\n\n\n\n\n\n
\n \n \n \n \"Amazon.com\n \n \n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n\n\n\n\n\n
\n \n \n \n \"Amazon.com\n \n \n
\n
\n\n
\n\n\n\n \n\n \n\n \n\n \n
\n\n \n \n\n \n \n
\n \t\n\t\n
\n\n
\n\n\n\n\n\n\n\n\t\n\t\n\t\n\n\t\n\t\n\t\t
\n\t\t \n\t\t Please Enable Cookies to Continue\n\t\t

\n\t\t\t\tTo continue shopping at Amazon.com, please enable cookies in your Web browser.\n\t\t\t

\n\t\t\t

\n\t\t\t\t\n\t\t\t\t\tLearn more\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t \tabout cookies and how to enable them.\n\t\t

\n\t\t
\n\t\t \t\t\t\t\t\t\t\n\t\n\n
\n \n
\n\n\n\n \n\n \n\n \n\n \n
\n\n \n \n\n \n \n
\n Sign in with your Amazon.com account.\n
\n \n
\n \t\n\t\n
\n \n \n \n \n \n \n \n \n \n
\n\n\n\n\n\n\n\n \n\n\n\n\n\n\n\n\n \n\n \n\n \n\n \n\n \n\n \n \n \n \n \n \n \n\n \n \n\n\n\n\n\n\t \n\t\t \n\t \n\t\t \n\t \n\t\t \n\t \n\t\t \n\t \n\t\t \n\t \n\t\t \n\t \n\t\t \n\t \n\t\t \n\t \n\t\t \n\t\n\n\n\n\n
\n\n \n
\n

Sign In

\n
\n\n \n\n \n
\n

\n \n \n What is your e-mail or mobile number?\n \n \n \n

\n
\n\n \n \n \n
\n \n \n \n \n \n \n \n \n E-mail or mobile number:\n \n \n \n \n \n \n \n \n \n \n \n \n
\n \n
\n \n
\n\n \n \n \n\n \n
\n

Do you have an Amazon.com password?

\n
\n\n \n
\n \n \n \n \n I am a new customer.\n
(you'll create a password later)
\n \n
\n\n \n
\n \n \n \n I am a returning customer,
and my password is:\n
\n\n \n\n \n
\n  \n \n \n \n \n \n \n \n \n \n \n\n\n
\n \n Caps Lock is on. This may cause you
to enter your password incorrectly.
\n
\n\n \n
\n \n \n
\n \n \n \n \n Forgot password?\n \n
\n \n \n\n \n
\n  \n \n \n \n Keep me signed in. \n \n \n \n \n \n Details\n \n \n \n \n \n \n
\n \n\n \n \n \n \n
\n  \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
\n \n \n \n \n
\n
\n \n \n \n \n \n \n \n
\n  \n \n \n \n \n \n Forgot password?\n \n \n \n \n
\n\n \n\n \n \n
\n \n \n \n  \n \n New to Amazon? Create an account\n \n \n \n
\n \n\n \n\n
\n \n\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n\n\n
\n
\n\n\n\n
\n

\n By logging in you accept the terms & conditions for this product.\n \n \n
\n © 1996-2015, Amazon.com, Inc. or its affiliates\n

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n \n
\n\n
\n \n \n
\n\n\n\n \n\n\n
\n\n
\n\n\n\n\n \n \n\n\n\n
\n
\n\n\n\n\n \n \n\n\n\n
\n
\n
\n
\n\n
\n\n\n\n\n \n \n\n\n\n
\n
\n
\n\n
\n\n\n\n\n \n \n
\n\n
\n
\n
\n\n
\n \n\n\n\n"
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A avatar image
Steve A answered
Looking at my logs, I send a POST request with a 302 code to the redirect URL. Don't know of that's any help. Seems like 303 should also work... Steve
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Lawrence Krubner avatar image
Lawrence Krubner answered
I get the same error when I try a 303 redirect. I'll try POST. If anyone has any example code, I would love to see it.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Lawrence Krubner avatar image
Lawrence Krubner answered
@Steven Arkonovich -- " I send a POST request with a 302 code to the redirect URL." Thank you for that.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Lawrence Krubner avatar image
Lawrence Krubner answered
If I switch to using POST, I get a response that looks a bit like this: :request-time 44, :status 302, :headers {"Date" "Wed, 16 Dec 2015 23:10:31 GMT", "Content-Length" "20", "Access-Control-Expose-Headers" "Location", "Location" " https://www.amazon.com/ap/signin?showRmrMe=1&openid.return_to=https%3A%2F%2Fpitangui.amazon.com%2Fspa%2Fskill%2Faccount-linking-status.html%3FvendorId%3DM1BV122Z&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=amzn_dp_project_dee&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&;", "x-amzn-RequestId" "34e6bd14-a4a-11e5-a5e6-91a197eb"}, I changed a few numbers for security reasons, but you get the idea. I am not getting anything that makes me think the Account Linking was successful.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.