Configure an Authorization Code Grant
The Alexa Skills Kit supports authorization code grants for account linking in custom, smart home, video, meetings, and music skills.
In this grant type, the authorization server provides an authorization code (code
) after the user authenticates with the service. Alexa then uses this code
to request an access token / refresh token pair from the authorization server. Alexa can then use the refresh token to request a new access token after the old access token expires.
Overview of the authorization code grant flow
- The user starts the account linking process. The starting point depends on the type of skill:
- For custom skills, see Account Linking for Custom Skills.
- For smart home, video, meetings, or music skills, see Account Linking for Smart Home and Other Domains.
-
The Alexa app displays a login page within the app, using an authorization URI you provide when you configure account linking. This login page lets the user authenticate with the authorization server.
When the Alexa app calls the specified authorization URI, it includes
state
,client_id
,response_type
,scope
, andredirect_uri
as query string parameters. - The user logs in with their credentials for the authorization server.
- After the user is authenticated, the authorization server generates an authorization code (
code
). - The authorization server redirects the user to the Amazon-provided
redirect_uri
and passes along thestate
andcode
in the URL query string parameters. -
The Alexa service uses the
code
in a POST request to get an access token / refresh token pair from the authorization server's access token URI. The authorization server returns the access token and refresh token in a JSON response.Note that the authorization server must respond to the token request within 4.5 seconds.
-
Alexa saves the access token and refresh token.
The user's Alexa account is now linked to the account in the other service, and the skill is ready for use.
- When the user makes requests to the skill, each request (such as an
IntentRequest
for a custom skill or aTurnOn
directive for a smart home skill) now includes the access token (access_token
). Your skill uses this token to get the information you need from the resource server. If theaccess_token
is expired, Alexa calls the access token URI again with the refresh token to request a new access token / refresh token pair.
The following diagram illustrates the initial setup when the user links their account and Alexa obtains the access token from your authorization server.
This diagram shows the flow when the user makes a request to the skill and the skill then uses the access token to retrieve information from the resource server.
Steps to configure an authorization code grant
- Make sure that you have an authorization server that meets the requirements described in Requirements for Account Linking for Alexa Skills.
- Configure your skill for the authorization code grant type in the developer portal. For details, see Configure Account Linking in the Developer Console.
After you configure the authorization code grant, move on to the next step and add the logic to validate and use the access token to your skill code. For more information, see:
- Validate and Use Access Tokens in Custom Skill Code
- Validate and Use Access Tokens in Smart Home and Video Skill Code
Authorization URI
When a user starts the process of linking accounts, the Alexa app displays a login page for the authorization server. The authorization server needs to validate the user's credentials and then return a code
, which Alexa then exchanges for an access token.
You specify the URL for this login page in the developer console on the Build > Account Linking page. You provide the URL for the login page in the Authorization URI field. You provide the URI of the server that can exchange the code
for the access token in the Access Token URI field.
If you use a third-party OAuth provider, see the documentation for that provider to determine the authorization URI you need when you configure account linking. Look for the URI for an authorization request and access token request.
For example, assume your Amazon-provided redirect URL is the following:
https://pitangui.amazon.com/api/skill/link/M2AAAAAAAAAAAA
Your authorization URI would then redirect the user to:
https://pitangui.amazon.com/api/skill/link/M2AAAAAAAAAAAA?state=xyz&code=SplxlOBeZQQYbYS6WxSbIA
Note that the parameters are passed in the URL fragment, which is the portion of the URL after the hashtag (#
).
For authorization server requirements, see Authorization server requirements.
Parameters passed to the authorization URI
The Alexa app includes the following parameters in the URL query string when it calls your authorization URI.
Parameter | Description |
---|---|
|
An identifier for your skill. You can use this to provide any skill-specific functionality, such as distinguishing between different skills you have configured with account linking. You define the |
|
The Amazon-specific redirection endpoint (redirect URL) to which the service should redirect the user after authenticating the user. The values you can expect for this parameter are also displayed in the developer console when you configure account linking for your skill. |
|
Indicates the type of response that should be returned after the user has been authenticated by the other service. This is always |
|
An optional list of scopes indicating the access the Alexa user needs. You define these scopes when you configure account linking for your skill for your skill.
|
|
A value used internally by the Alexa service to track the user through the account linking process. The Alexa app sends a |
For example, if the authorization URI for your page is https://www.ridehailer.com/login, the URL called by the Alexa app might look like this:
https://www.ridehailer.com/login?state=abc&client_id=unique-id&scope=order_car+basic_profile&response_type=code&redirect_uri=https%3A//pitangui.amazon.com/api/skill/link/M2AAAAAAAAAAAA
Access and refresh tokens
Your authorization server needs to provide an access token that uniquely identifies a user. Your skill can then use this token to access information about the user in your resource server.
The Alexa service calls the access token endpoint for your authorization server (specified as the Access Token URI in the developer console) and passes the code
and client credentials in a POST request. The authorization server returns the access token and optional refresh token in a JSON response. Although the refresh token is optional, it is recommended if your access token expires.
Example access token request:
POST /auth/o2/token HTTP/1.1
Host: api.amazon.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=authorization_code
&code=123456EXAMPLE
&client_id=exampleId
&client_secret=ABCDEFGEXAMPLE
&redirect_uri=https%3A//pitangui.amazon.com/api/skill/link/M3PCA6K3O9X0NW
Example access token response:
HTTP/1.1 200 OK
Content-Type: application/json;charset UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"Atza|EXAMPLEACCESSTOKEN123456...",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"Atzr|EXAMPLEREFRESHTOKEN123456X..."
}
For access and refresh token requirements, see Access token URI requirements.
When generating the access token, provide a token specific to your resource server. For security, your token should be a value that identifies the user, but cannot be guessed.
Configure account linking
You enable account linking in the developer console in the Build > Account Linking section. Alternatively, you can configure account linking with the ASK CLI or the Skill Management API.
The following table summarizes the fields you must fill in to configure account linking. If you use a third-party OAuth provider, see the documentation for that provider to determine the values to enter in these fields.
Field | Description |
---|---|
Do you allow users to create an account or link to an existing account with you? |
Select this to enable account linking for a custom skill. This option is automatically selected for smart home and video skills. |
Allow users to enable the skill without account linking |
Select this to let users bypass the account linking flow when they enable your skill. Available for custom skills only. This is useful if your skill offers meaningful functionality without an account, in addition to the features that require an account. See Let Users Enable Your Skill without Account Linking. This option is on by default. |
Authorization Grant Type |
The OAuth 2.0 authorization grant type to use to obtain the access token. Select Auth Code Grant. For smart home and video skills, this is automatically selected, as this is the only supported grant type. |
Authorization URI |
The URI for a page the user can use to log into your service. The Alexa app displays this page when the user begins the account linking process. Refer back to Authorization URI for details and requirements. For a third-party OAuth provider, look for the URI provided for authorization requests. For example, for Login with Amazon, the authorization URI is |
Access Token URI |
The URI for the access token endpoint for your authorization server. The Alexa service calls this URI to exchange the authorization code for an access token. Alexa also calls this URI with the refresh token to get a new access token when the previous token expires. For a third-party OAuth provider, look for the URI provided for access token requests. For example, for Login with Amazon, the URI for the access token request is Refer back to Access and Refresh Tokens for token requirements and details. |
Your Client ID |
A unique string that identifies the client requesting authentication. This value is passed to the authorization URI in the This client ID is also part of the client credentials that the Alexa service includes when requesting an access token from the Access Token URI. For a third-party OAuth provider, look for the client identifier that the provider expects. For example, for Login with Amazon, this ID is created when you create a security profile for Login with Amazon. |
Your Secret |
A credential you provide that lets the Alexa service authenticate with the Access Token URI. This is combined with Your Client ID to identify the request as coming from Alexa. For a third-party OAuth provider, look for the client identifier that the provider expects. For example, for Login with Amazon, the client secret is created when you create a security profile for Login with Amazon. |
Your Authentication Scheme |
Identifies the type of authentication Alexa should use when requesting tokens from the Access Token URI. |
Your Redirect URLs |
These URLs point to your own app and are only for app-to-app account linking implementations. |
Scope |
An optional list of permissions for the other service. If your resource server supports different scopes for access, enter those here. You can provide up to 15 scopes. All of the scopes entered here are included in the For a third-party OAuth provider, specify a scope from the set of scopes that the provider supports. For example, Login with Amazon supports |
Domain List |
An optional list of domains that the authorization URI can retrieve data from. If your login page retrieves content from other domains, enter those in this list. This is only necessary for domains beyond your authorization URI. For example, suppose your authorization URI is |
Default Access Token Expiration Time |
The time in seconds for which the access token is valid. This value is used if the OAuth client does not return |
Alexa Redirect URLs |
This displays the Amazon-provided redirection endpoints to which your login page must redirect the user after the user is authenticated. The value to use for a given request is passed to your login page as the |
Alexa Redirect URLs
You can see the redirection endpoints that Alexa uses in the Alexa Redirect URLs field on the Build > Account Linking page in the developer console. This endpoint is the URL to which your log-in page must redirect the user after the user is authenticated.
Note that Alexa Redirect URLs displays multiple URIs. The Alexa app passes your authorization URI the value you should use based on where the user registered their device. The URI is passed to your authorization URI in the redirect_uri
parameter.
You typically need to register the redirection endpoint with the authorization server to ensure that the authorization URI can call it, especially if don't own your authorization server. To ensure that your skill works from multiple regions, register all of the URIs shown in Your Redirect URLs.
How you do this depends on the authorization server you are using. For example, in Login with Amazon, you need to configure a security profile and provide the possible redirect URLs in the Allowed Return URLs field.
See the documentation for your OAuth provider to determine these requirements.
For example, the value passed in the redirect_uri
parameter for an authorization code grant might look like this:
https://pitangui.amazon.com/api/skill/link/M2AAAAAAAAAAAA
As noted in the authorization URI requirements, your authorization URI redirects the user to the redirect_uri
and includes state
and code
in the URL query string. For example:
https://pitangui.amazon.com/api/skill/link/M2AAAAAAAAAAAA?state=xyz&code=SplxlOBeZQQYbYS6WxSbIA
redirect_uri
parameter.Test the account linking flow
After you configure account linking, you can test the account linking flow. Use the Alexa app to enable your skill and start the account linking process. Verify that you can log in to the service and then return to the Alexa app.
To finish implementing account linking, update your skill code to check for the access token on incoming requests and take appropriate actions. Also, add code to send a link-account card in the response if the user didn't enable or canceled account linking. When displayed in the Alexa app, this card displays a link to your authorization URI. The user can start the account linking process directly from this card.
For more details, see:
- Custom skills: Validate and Use Access Tokens in Custom Skill Code
- Smart home skills and other domains: Validate and Use Access Tokens in Smart Home and Video Skill Code
Related topics
- Account Linking Concepts for Alexa Skills
- Quick Reference: Add Account Linking to an Alexa Skill
- The OAuth 2.0 Authorization Framework (RFC 6749)
- OAuth.com
Last updated: Mar 21, 2024