Alexa skill account linking with Google APIs credentials, problem refreshing token

3
votes

I'm having some problems with the Alexa account linking authorization.

These are the steps I followed:

  1. I got the credentials (client id, client secret...) from the Google Cloud Console
  2. Setup on the Alexa Developer Console, using 'Auth Code Grant' as authorization grant type
  3. Activated the skill on my Alexa application and successfully logged in with my Google account
  4. Now I got the access token in the request, in handler_input.request_envelope.context.system.user.access_token

The problem is that the access token expires after one hour and Alexa does not manage the refreshment of the token.

What should I do to avoid having to ask my users to login every time after one hour? Should I use Implicit grant as authorization type? Should I get a refresh token somehow?

Additional info: it's a custom skill that connects to an AWS Lambda using Python3

2
google-apialexaalexa-skills-kitgoogle-authenticationalexa-skill
Look for the refresh token it will allow you to request a new access token when it has expired. Although i would have expected alexa to handle that itself but i have never worked with it.DaImTo
Where should I look for it? Because it is not passed through the skill, my idea was also that Alexa would manage the refreshing, but it doesn'tNicolò Gasparini

2 Answers

5
votes

While @pinoyyid's answer was correct, it didn't provide a solution so I'm posting one for future reference.

The problem was indeed that Amazon servers did not receive a refresh token from Google, thus making it impossible to refresh the access token after its expiration time of one hour.

Following this link and other Amazon forum posts, I got to a working solution.

Amazon Alexa developer console 'Account Linking' configuration:

  • Authorization grant type: Auth Code Grant
  • Authorization URI: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline (even though the one from the google credentials was not v2, it shouldn't make a difference) The access type is very important because, as documentation goes:

    Set the [access_type] value to offline if your application needs to refresh access tokens when the user is not present at the browser. [...] This value instructs the Google authorization server to return a refresh token and an access token the first time that your application exchanges an authorization code for tokens.

  • Access Token URI: https://accounts.google.com/o/oauth2/token
  • Client ID & Secret: downloaded on Google Cloud Platform
  • Client Authentication Scheme: HTTP Basic
  • Domain List: google.com and googleapis.com
  • Default access Token Expiration Time: left empty

Now, after doing this and saving the configuration, be aware that you might not notice the change, as, from here:

When Alexa uses the refresh token to retrieve a new access token for an existing user, Alexa uses the access token URI that was configured at the time the user linked their account. Therefore, if you change the access token URI later, users who linked their accounts before continue to use the old URI for retrieving updated tokens. The users must unlink and re-link accounts to switch to the new access token URI.

So, in order to complete the procedure:

  1. Deactivate your skill
  2. Go to the Google third party applications that have access to your data and remove your Google Project associated
  3. Reactivate your skill and login again (if done correctly it should ask you the permissions for the scope you specified in the Alexa developer console again
  4. Done! after one hour you should re-try and it should have a renewed access token

Additional Info

I found that many suggested to retrieve the refresh token, I don't believe this is possible because, even if Google sends it, it's Amazon that stores it and uses it to refresh the access token.

EDIT: This works fine for developing and testing but I discovered here that for publication purposes you must own the landing page that you redirect your users to. For me it was just necessary to create a simple HTML page hosted in a public S3 bucket that would redirect the request to the Authorization URI I wrote before, while the Access Token URI must remain the Google one.

1
votes

Have you read https://developer.amazon.com/docs/account-linking/configure-authorization-code-grant.html ?

My guess is that the Refresh Token is missing because you have already auithorised the app. The RT is only issued once. Try going into https://myaccount.google.com/permissions?utm_source=google-account&utm_medium=web to revoke the permission and try again.