How to get the accesstoken from alexa after account linking with azure AD

1
votes

I tried to connect my Alexa AWS Lambda function (node.js 6.10) with Azure Activ Directory to my Azure-Cloud-API. After reading the documentation from amazon and many tutorials I have now a working Account Linking. That means, I can link the Account of the Skill inside the Alexa-App on my smartphone.

AccountLinking for my Custom Skill: {Data from my azure portal}

  • Authorization Grant Type: Auth Code Grant
  • Authorization URI: {OAUTH 2.0 AUTHORIZATION ENDPOINT}
  • Access Token URI: {OAUTH 2.0 TOKEN ENDPOINT}
  • Client ID: b9c6[...]bc60 {Application ID}
  • Client Secret: {Client Secret}
  • Client Authentication Scheme: Credentials in request body
  • scope: openid
  • domain: empty
  • redirect urls: --> In Azure portal as ALLOWED TOKEN AUDIENCES and Reply URLs defined

In my aws lambda function I get the event request from alexa like the documentation says with properties for version, session, context, request...

My understanding of the documentation is, that the token I need for the Azure-Cloud-API-Request should be here: session.user.accessToken But this token doesn't look like the one I need and after my test runs I get always "Unauthorized" back. The Token looks something like this and is 1252 characters long:

AQABAAAAAADX8GCi6Js6SK82TsD2Pb7rqGN56iHT_YSxlSr1RAdXucGs0S3ykOaw0XZ1WnjJotqZAn9BH7agRbP0VQv2rnJuRw_aJil7 [...] JIEO2Ap4wuG-tTwiSmZBfbLhyYtwQmxLAkqiLApqFmBYcyu-dnzlVV4liDGyTQ7gAXufd3zt7QGmi3UfP1aL9f5NBeXbmxnU6FHRzF10QZa19pTQgNTtIK8oIAA

If I configure postman and send a request to the azure activ directory I get a accessToken like this (1168 characters long):

eyJ0eXAiOiJKV1QiLCJhbGc [...] Ezbk5aY2VEYyJ9.eyJhdWQiOiJodHRwczovL21ldGVvcmEtYXBwLmF [...] kY5MWVUUXdBQSIsInZlciI6IjEuMCJ9.KJco47-FdJ_eeqv38LL [...] YK_4JqCRDw

This one looks like a jwt-token and if I copy this token directly in my aws lambda function and use this one for the Azure-Cloud-API-Request it works (until the token expires).

Now I'm not sure if there is a problem in my configuration of the account linking? Or do I have to do something with the token from alexa to get the real one? Or is the real token somewhere else and I have to fetch it there?

Thanks a lot for your help!

Amazon Documentation "Alexa Skills Kit":

https://developer.amazon.com/docs/custom-skills/link-an-alexa-user-with-a-user-in-your-system.html

EDIT (Solution) 11.06.2018

  • Authorization Grant Type: Auth Code Grant
  • Authorization URI: {OAUTH 2.0 AUTHORIZATION ENDPOINT} + ?resource= + {Application ID}
  • Access Token URI: {OAUTH 2.0 TOKEN ENDPOINT}
  • Client ID: b9c6[...]bc60 {Application ID}
  • Client Secret: {Client Secret} App>Settings>Keys new Key with expiration date = 2 years
  • Client Authentication Scheme: Credentials in request body
  • scope: empty
  • domain: empty
  • redirect urls: --> In Azure portal as ALLOWED TOKEN AUDIENCES and Reply URLs defined
2
amazon-web-servicesazuretokenazure-active-directoryalexa
What documentation did you refer ? The access token should be the JWT token issued by Azure AD.Wayne Yang
@WayneYang-MSFT I updated my question with the link.SirArt
@WayneYang-MSFT Yes, unfortunately I don't get a azure-JWT token inside the alexa-request nor inside the alexa-context. The only JWT token is in context.system.apiAccessToken and this one is probably only for amazon because it doesn't work inside my azure-request.SirArt
Did you see this article: blogs.msdn.microsoft.com/premier_developer/2017/12/09/… ?juunas
@juunas Thanks for the article. Yes I saw that and I tried to use it for my use case. It's not directly the same but he's also getting the token from "request.Session.User.AccessToken" in his "AlexaJWTMiddleware". That means he gets the right token from the alexa service. His configuration of the account linking is slightly different. For example at the end of the authorization URL he has "...authorize?resource={App ID URI}" but this doesn't work in my account linking. Do I miss something really important? Is it only possible to implement it like this? I'd like to use the aws lambda functions.SirArt

2 Answers

2
votes

It sounds like you haven't completed the account linking sequence for your skill. After setting the account linking configuration you need to open the Alexa app (on your phone or https://alexa.amazon.com) and go to your new skill and link your account. Once that is successful you will get a token in request.Session.User.AccessToken.

The blog post: https://blogs.msdn.microsoft.com/premier_developer/2017/12/09/amazon-alexa-skills-authenticated-by-azure-active-directory-and-backed-by-asp-net-core-2-0-web-api-hosted-on-azure/ needs to be updated with the following:

  • You can ignore the sections about the "front end" app registration.
  • In Alexa account linking section update URLs to use login.microsoftonline.com instead of login.windows.net
  • ClientId to be the Application Id of the "back end" app registration
  • The ?resource= has to be set and has to be the same as the audience parameter for the JWT bearer options. This is ClientId if you use the .Net Core 2.0 template in Visual Studio.
  • The client secret (key) that is used can not be one that "Never Expires". Use a 1 or 2 year duration.
0
votes

In addition to Nate's answer and following the addition of ?resource= to the Authorisation URI, I had to give the API permission Azure Active Directory Graph > User.Read on the App Registration and Grant Admin Consent to it.

Without this permission, the account linking would throw an error. If you have similar issues, try your OAuth values with Postman and check the Postman Console for error messages