question

Galactoise asked Jan 24, '16

Transparent Registration

As I've been implementing the account linking flow for a new skill, I've come to the realization that I don't actually [i]need[/i] any additional information from an Amazon user at this point in time, other than their alexa user id. As a result, I can do account linking without actually displaying a landing page for them: -Amazon redirects the user to my server for "account linking" -I do account registration for the user and generate a token for the newly registered user -I redirect back to Amazon's pitangui server with all of the necessary OAuth parameters. I can get away with this at the moment because I'm only allowing registrations via Alexa, so I don't need to collect login credentials, and any other data we wanted to collect would not be PII and wouldn't ever be [i]strictly necessary[/i], so I'd rather just not have a registration/linking form at all. My question is about whether this is even allowed - is it going to violate some weird certification constraint that the Amazon team has that I'm not realizing?

alexa skills kit submission testing certification

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jjaquinta answered Jan 25, '16

I'm specifying the feature list for Starlanes 3.0. I already have a web app associated with it. But the way things are looking, I'm not even going to bother with account linking. In the game you pick your own three-letter callsign. Presently the web app is restricted to faction leaders, so I've just been assigning passwords. For 3.0 I think I'm going to open it up. But what I'll do is just randomly generate passwords, and let the user query it, or reset it, via the skill. I mean, if they are using the skill, they're clearly the right person. Sure, it would be nice if we could put up a link to the web site. I'd prefer that than any of this account linking complexity. As far as certification goes, it seems highly random anyway. You don't know what they're going to decide the color of the sky is, so you can't plan for it. Just do what makes sense and if they decide to be unreasonable, we start ranting in the forum again. It does seem to be the only thing that gets their attention. Someday they may work that out and change the process.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise answered Jan 25, '16

> As far as certification goes, it seems highly random > anyway. You don't know what they're going to decide > the color of the sky is, so you can't plan for it. > Just do what makes sense and if they decide to be > unreasonable, we start ranting in the forum again. Well, the subtext for my question was "Hey DAs and certification team, let's [b]figure out[/b] the answer to this question [b]before[/b] I submit in a week or two".

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise answered Jan 25, '16

(Removed as duplicate post)

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jjaquinta answered Jan 25, '16

> Well, the subtext for my question was "Hey DAs and > certification team, let's [b]figure out[/b] the > answer to this question [b]before[/b] I submit in a > week or two". Because that has worked before?

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise answered Jan 25, '16

I've never tried - last time I just submitted assuming I'd be able to argue my case, and then got shot down a few times before having that opportunity.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A answered Jan 25, '16

So, I might be missing something, but why are you even bothering with account linking at all? Can't you just grab the user id from the request and associate whatever info you want with that? That's certainly allowed. It's just version of a "favorite color" skill.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise answered Jan 25, '16

Because we are going to let them do things outside of the Alexa flow that need to be secured, so we need to make sure that they are who they say they are. Otherwise if you figured out Jo's user id somehow, you could use that as a vector to take control of the other features that will eventually be tied to his account.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jjaquinta answered Jan 25, '16

Actually, even if I told you my UserID, I think this would be hard to exploit. [b]IF[/b] you have all the normal checking on, you should not be accepting connections from anywhere other than the Alexa service with the right application ID. I'd have to have some sort of man-in-the-middle malware running on your hardware, or your router that was able to both intercept and crack the SSL. Unless you are dealing with extremely high value assets, that's a rather unlikely scenario.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise answered Jan 25, '16

A portion of "the normal checking" goes out the window when using the Lambda pass through, unfortunately. I suppose that a combination of the application id check + userId would be fairly secure, since in theory the application id is only passed between amazon and my service. That said, I've already implemented the flow, and we may still decide to insert a landing page in the middle to optionally gather a bit of information.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

justin answered Jan 25, '16

Hey Galactoise, I'm happy to help get this answered for you, but I think it may require more information on what data is being required for the linking process. If you'd like to keep the UX flow private, please feel free to open a contact us case directed at me so I can get this in front of the cert team for review. Otherwise, sharing any details on why users are filtering through an account linking service without a need to provide full auth versus just pairing UserIDs in a DB is appreciated! Apologies if you've already tried to explain this and it's not clicking fully for me yet -- I'll reread this some more as well. https://developer.amazon.com/appsandservices/support/contact/contact-us Thanks, Justin

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.