5
votes

I was successfully able to link my Alexa app (client) to our companies OpenID Connect platform (authorization server).

Our authorization server returns the following information to Alexa client :

{
 "access_token":"eyAi",
 "refresh_token":"kfQ",
 "scope":"openid profile", 
 "id_token":"eyA",
 "token_type":"Bearer",
 "expires_in":3598
}

Alexa client successfully receives this information and when invoking skills passes on the "access_token" to our code.

So in summary, the two systems are linked and alexa is sending us the access_token. So far so good.

HOWEVER, the issue is that our platform requires "id_token" and not "access_token". So i want Alexa to send us id_token.

I fail to find any documentation on how to achieve this. Please help.

Here is a link to account linking under alexa

3

3 Answers

2
votes

True as of Jan 2020 as well. It is contrary to popular convention wherein accessToken is passed in requests for authorization (OAuth) and Id token is used for Identity Authentication(OpenId).

On logging in through a Cognito Userpool, we are assigned ID Token, Access Token, and a refresh Token. The ID token is used to communicate with STS and Cognito Federated Identities. The API Gateway authorizer checks only for an ID token will deem the request as UnAuthorized if an accessToken is sent instead of an ID token. AWS explains the data flow between Cognito and Federated Identities in this video: https://youtu.be/VZqG7HjT2AQ?t=528

On linking Alexa with Cognito, when the user logs in the Alexa Skill. Alexa records the accessToken from all the other tokens and sends it to Cognito in the subsequent requests.

With no ID token in these requests they fail with a HTTP 401. This is a discord between Amazon's services and hope they develop a workaround it.

One way around it is to use a custom authorizer lambda and write your own logic.

A better way is using a resource server to add some custom OAuth scopes to your userpool. Then add OAuth Scopes to your API Gateway resources page.

The API Gateway will check the accessToken and allow the requests with the OAuth Scopes defined in the API Gateway resource.

0
votes

I faced this issue myself while linking the alexa account with cognito userpool. Previously I was using the default cognito userpool authoizer for authorizing the api gateways. I instead changed that into a custom authorizer. You can read about it here - https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/.

Also, we were using the idtoken to get the user information, instead we are using the GetUser API to get the user information from accesstoken. You can see the documentation here- https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html .

0
votes

I used amazon cognito and in my case what I did was configure cognito with auth2 only and deactivate openid with this I got cognito to give me access token and refresh token. Then I had to touch the asp.net core because it was not taking the access token (ValidateAudience = false). Postman helped me determine why asp.net rejected the token as it sends queries to my resfull api