I am currently building an Alexa skill backed by Azure Functions (.NET Core/C#) and Azure AD B2C for authentication.
For the initial setup, I used mostly used the instructions found in this arcticle. Since, the article was written a couple of years ago, I had to make a few changes. In the end, I landed on the following configuration:
Azure Active Directory B2C
As I mentioned, we are using AAD B2C for authentication. Users of a related application are able to sign-up and sign-in to a React application. The idea is to provide an alternative interface for said users through Alexa intents + utterances.
I created an application for Alexa in AAD B2C with the following settings:
Properties
- Web App / Web API: Yes
- Allow implicit flow: Yes
- Reply URLs: I entered the values provided by the Alexa skill setup (e.g. https://pitangui.amazon.com/api/skil/link/...); there are three different ones. I also added one for my azure function app (this is something that could be incorrect. It was part of what I did while diagnosing other earlier problems); it's in the format: https://myfuncname.azurewebsites.net/.auth/login/aad/callback (Do I even need this???)
- App ID URI: https://myorg.onmicrosoft.com/alexa
- Include native client: No
Keys
I generated a single App Key, which I'm using as the Secret in the Account Linking section in the Alexa Developer Console.
Many of the examples online mention setting an explicit expiration date here of 1 or 2 years; however, I am not presented with any options at all (i.e. no expiration option), just the code. Could this be part of the problem???
API Access
- In the Published scopes section, the Scope's name is
user_impersonation. The description is "Access this app on behalf of the signed-in user". The full scope value is: https://myorgsname.onmicrosoft.com/alexa/user_impersonation.
For API Access, I have to API entries here:
- One that uses the
user_impersonationscope mentioned above. - The second, titled "Access the user's profile", uses:
- Acquire an id_token for users (openid)
- Acquire a refresh_token for users (offline_access)
AAD B2C User Flow
The user flow that I'm using allows signing up and signing in, it utilizes the following configuration:
Properties
Misc
- Enable JavaScript enforcing page layout (preview): On
Token lifetime
- Access & ID token lifetimes (minutes): 60
- Refresh token lifetime (days): 14
- Refresh token sliding window lifetime: "Bounded".
- Lifetime length (days): 90
Token compatibility settings
- Issuer (iss) claim:
https://<domain>/<b2c-tenant-guid> - Subject (sub) claim: ObjectID
- Claim representing user flow: tfp
Session behavior
- Web app session lifetime (minutes): 1440
- Web app session timeout: Rolling
- Single sign-on configuration: Tenant
- Require ID Token in logout requests: No
Azure Function Authentication Middleware
For the authentication layer within the Azure Function, I'm utilizing the method described in the article mentioned above.
Alexa Developer Console
On the Alexa side of things, I have a really simple skill setup with the following settings:
Endpoint
My endpoint uses the HTTPS option with the default region set to the fully-qualified HTTPS endpoint of my Azure Function App's handler function.
The certificate set to "My development endpoint is a sub-domain of a domain that has a wildcard ..."
Account Linking
The account linking settings are as outlined below:
- Do you allow uses to create an account or link to ...: Toggled On
- Allow users to enable skill without account linking: Toggled On
- Allow users to link their account to your skill from within your application or website: Toggled Off
- Auth Code Grant: On
- Authorization URI:
https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/authorize?p=<sign-in-user-flow-policy-name> - Access Token URI:
https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/token?p=<sign-in-user-flow-policy-name> - Your Client ID: AAD B2C App GUID
- Your Secret: Key generated in App settings in AAD B2C for my Alexa Skill App (mentioned in the AAD B2C setup info above).
- Your Authentication Scheme: HTTP Basic
- Scope: openid and https://myorg.onmicrosoft.com/alexa/user_impersonation
- Domain List: login.microsoftonline.com and myorg.b2clogin.com Note: This is probably wrong as I didn't know what to put here. The article above doesn't mention this setting at all
- Default Access Token Expiration Time: 3600
Note: The Alexa Redirect URLS at the bottom are what I put in AAD B2C for the Reply URL section.
The Problem
Now for the most important part, The Problem. Everything seems to work at first...I'm able to go to alexa.amazon.com and utilize Link Account (which redirects me to and from my AAD B2C-driven login screen). Once I link accounts, I'm able to successfully utilize an utterance and receive a reply.
The problems starts when I wait an hour (I believe it's an hour). Attempting to initiate the Intent after an hour yields an error on the Azure Function app side of things when it tries to validate the Auth Token.
Can anyone provide me some guidance as to what I may have setup incorrectly or at least some things that I should look into? As I mentioned at the start of this question, many of the references that I'm finding online are out-of-date and do not cover all of the settings that I'm expected to utilize. Many of them are still using microsoftonline.com authority vs. b2clogin.com.
At a glance, I would assume that the problem is that the Alexa skill is failing to refresh its token after it expires after an hour. What do I need to do to ensure that it refreshes correctly?
offline_accessas a scope referenced in the Alexa Developer Console Linked Account settings. I tried this and it has been two hours and the problem has not re-appeared. I am cautiously optimistic that this is what was missing. I will update this question accordingly once I've confirmed. – Brandon Avant