How can users grant permission for my website to manage their Amazon Alexa Lists

Question

I want users of my Next.js TypeScript app to grant it permission to manage their Alexa Lists.

I figured this would be possible with OAuth2.

I figured I'd need to create a button in my website that takes the user to an Amazon URL that allows the user to grant my website permission to manage their Alexa lists (and then generates a code that it includes in a GET request that happens as a redirect to a "callback" URL that I registered as the redirect_uri when setting up OAuth2 in Amazon).

I figured the button would be a link to a URL defined like

const url = `${oauth2BaseUrl}?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUrl)}&response_type=code&scope=${scope}`;

This is generally how OAuth2 works, in my experience.

But I've found Amazon's docs incredibly unhelpful.

I see permissions / scopes mentioned here called alexa::household:lists:read alexa::household:lists:write.

I've set up my API endpoint (which I'll specify at redirectUrl) to exchange the Amazon authorization code for an Amazon access token following the code examples shown there.

I've set oauth2BaseUrl to be 'https://www.amazon.com/ap/oa' (found at https://developer.amazon.com/docs/login-with-amazon/authorization-code-grant.html).

For client ID, I'm using the one for my Alexa skill that I created. Is that correct?

I'm using Next-auth, but I'd be curious if there are any other libraries that could make any of this easier.

Here are permissions I've added in my Skill:

I always get:

400 Bad Request
An unknown scope was requested

But if I just use scopes these different scopes instead, I see it behave how I'd expect (but I lack List permissions): alexa::skills:account_linking postal_code profile:user_id.

P.S. I also started setting up Login With Amazon, but I don't understand why that would be necessary. I'm not looking to offer a federated login feature.

To be able to manage users' Alexa Lists, you need to use the LWA, which is separate from the Alexa Skills Kit (ASK). The client ID you're using should be from LWA, not your Alexa Skill. — SolessChong, Apr 16 '23 at 12:22
@SolessChong Thanks for your comment! I've now set up my OAuth to use the LWA client ID. What other steps are necessary to achieve my goal? Thanks. — Ryan, Apr 16 '23 at 20:17

score 1 · Answer 1 · answered Apr 16 '23 at 02:29

1

I got your ping from another thread. I haven't used App-to-App account linking, so I don't have a complete answer for you. But to my knowledge, alexa::household:lists:read and alexa::household:lists:write are skill permissions (not OAuth scope). If enabled, the Alexa app would prompt for the user's consent after the OAuth authentication flow.

For example, here is the basic account linking flow (not App-to-App account linking) with the Alexa app on Android:

Open the Alexa app
Select my skill > Enable
The Alexa app opens Login with Amazon page in Chrome (I used LWA as my OAuth provider)
I login and authorize the request
It returns to the Alexa app, with the message "Your skill account has been successfully linked" > click Close
The Alexa app then prompts for Account Permissions. That's the step where I can grant the skill access to my Alexa lists

So granting the Alexa lists permission is not part of the OAuth in the basic account linking flow.

As an experiment, I tried adding alexa::household:lists:read as a scope in my skill's account linking configuration, and it broke account linking -- Alexa app would display an error message instead of opening the LWA page. So I don't think they are OAuth scopes. It would also explain why you were getting 400 Bad Request -- An unknown scope was requested error.

As for your scenario, are you looking to implement App-to-App account linking with the Alexa app flow or the LWA fallback flow? If it's the latter, I suspect this may not be a supported use case based on my observation above. I would suggest reaching out to Amazon developer support to confirm.

answered Apr 16 '23 at 02:29

Christina

1,870
12
16

Thanks for responding! The flow I want is: "Alexa app only (browser flow) – Users accomplish account linking entirely within the Alexa app. This is the most common flow." I've tried posting in the AWS forum but haven't gotten any response. – Ryan Apr 16 '23 at 20:16
1

@Ryan Just to clarify, the UX I described above is actually the "Alexa app only (browser flow)". You mentioned creating a button on your website that takes the user to an Amazon URL that allows them to grant your website permission to manage their Alexa lists -- that would be considered as an app-to-app linking flow, where the user starts from your app/website instead of the Alexa App. – Christina Apr 17 '23 at 04:27
1

Can you confirm if you want the [Alexa-app only](https://developer.amazon.com/en-US/docs/alexa/account-linking/add-account-linking.html#account-linking-flows) flow? If so, can you clarify what the issue is? The Alexa app should prompt for the Alexa list permissions in step 6 (after completing OAuth). – Christina Apr 17 '23 at 04:28
I apologize; you are right. I've been so confused by this documentation. I want the one that says "Starting from your app – In this flow, the user starts from your app or website, chooses to initiate account linking, and is then redirected to the Alexa app (or Login with Amazon, if the Alexa app is not installed). The user acknowledges the account linking request within the Alexa app (or Login with Amazon), and is then redirected back to your app or website, which completes account linking and enables the skill by using APIs provided by Alexa. For details about this flow, see ..." – Ryan Apr 17 '23 at 12:02
https://stackoverflow.com/a/65166018/470749 looks interesting but unclear. I also found `const lwaServiceClient = new LwaServiceClient({ apiConfiguration, authenticationConfiguration }); const accessToken = await lwaServiceClient.getAccessTokenForScope(scope);` but am not sure when to call it and what `authorizationValue` means and what value to assign to it (required property of apiConfiguration). – Ryan Apr 17 '23 at 14:20
https://developer.amazon.com/en-US/docs/alexa/custom-skills/get-a-user-specific-access-token.html#receive-authorization-code-with-account-linking looks important. It says "Your skill receives authorization codes at the `reciprocalAccessTokenUrl` that you specify in the account linking schema within the skill manifest." But it links to https://developer.amazon.com/en-US/docs/alexa/smapi/account-linking-schemas.html#accountlinkingrequest-object which says "In the developer console, you specify these on the Build > Account Linking page using the Your Redirect URLs field." which I've done. – Ryan Apr 17 '23 at 14:35
No worries :) FYI that [this answer](https://stackoverflow.com/a/65166018/470749) you referenced is for the Alexa-app only flow with LWA. I have the same setup for my skill. Based on [this post](https://amazon.developer.forums.answerhub.com/questions/220969/grant-alexaskill-messaging-during-app-to-app-accou.html), I'm afraid your desired workflow is not a supported use case. – Christina Apr 18 '23 at 06:43
I would suggest posting [here](https://amazon.developer.forums.answerhub.com/spaces/23/Alexa%20Skills%20Kit.html) or submit a [Contact Us](https://developer.amazon.com/support/contact-us) if you want an official confirmation. I'm not sure where you posted in the AWS forum, but Alexa is not part of AWS so you may not get a response there. – Christina Apr 18 '23 at 06:46
Thanks! I haven't gotten any answer from 4 days ago: https://amazon.developer.forums.answerhub.com/questions/248106/how-can-users-grant-permission-for-my-website-to-m.html – Ryan Apr 18 '23 at 12:11

score 0 · Answer 2 · answered Apr 17 '23 at 08:14

Go to the Amazon Developer Console.
Click on "Login with Amazon" in the top-right menu.
Click on "Create a New Security Profile".
Fill in the required information and click on "Save". In the "Web Settings" tab of your new security profile, add your redirectUrl to the "Allowed Return URLs".
Note the "Client ID" and "Client Secret" provided in the "General" tab. Use this new Client ID in your OAuth2 request.

And update your OAuth2 request URL to include the correct client ID and requested scopes for Alexa Lists

const oauth2BaseUrl = 'https://www.amazon.com/ap/oa';
const clientId = 'YOUR_LOGIN_WITH_AMAZON_CLIENT_ID';
const redirectUrl = 'YOUR_REDIRECT_URL';
const scope = 'alexa::household:lists:read alexa::household:lists:write';

const url = `${oauth2BaseUrl}?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUrl)}&response_type=code&scope=${encodeURIComponent(scope)}`;

Next-auth does not directly support Alexa Lists API. Next-auth is an authentication library for Next.js, which simplifies adding authentication to your app. While it supports Login with Amazon, it does not provide built-in support for the Alexa Lists API.

You can use the amazon provider in Next-auth for Login with Amazon, but you would still need to handle Alexa Lists API calls yourself.

For the APP:

Create a component in your Next.js app to generate the OAuth URL and render the button:

// components/LinkWithAmazon.tsx

import React from 'react';

const oauth2BaseUrl = 'https://www.amazon.com/ap/oa';
const clientId = process.env.CLIENT_ID;
const redirectUrl = process.env.REDIRECT_URL;
const scope = 'alexa::household:lists:read alexa::household:lists:write';

const url = `${oauth2BaseUrl}?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUrl)}&response_type=code&scope=${encodeURIComponent(scope)}`;

const LinkWithAmazon: React.FC = () => (
  <a href={url}>Link with Amazon Alexa</a>
);

export default LinkWithAmazon;

Implement a Next.js API route to handle the callback from Amazon and exchange the authorization code for an access token:

// pages/api/auth/callback.ts

import type { NextApiRequest, NextApiResponse } from 'next';
import axios from 'axios';

async function handler(req: NextApiRequest, res: NextApiResponse) {
  const { code } = req.query;

  const response = await axios.post('https://api.amazon.com/auth/o2/token', null, {
    params: {
      grant_type: 'authorization_code',
      code,
      client_id: process.env.CLIENT_ID,
      client_secret: process.env.CLIENT_SECRET,
      redirect_uri: process.env.REDIRECT_URL,
    },
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  });

  const { access_token: accessToken, refresh_token: refreshToken } = response.data;

  // Save the access token and refresh token to your database or session

  // Redirect the user back to your app
  res.redirect('/');
}

export default handler;
···

Use the ·LinkWithAmazon· component in your app to render the button and call the getShoppingList function when needed:
jsx

I appreciate your answer! I tried to follow it exactly, but I still get the "An unknown scope was requested" error. I think https://stackoverflow.com/a/76025645/470749 might be correct about `alexa::household:lists:read alexa::household:lists:write` not being OAuth scopes. Also, I'm not sure the correct settings for https://developer.amazon.com/alexa/console/ask/{____}/development/en_US/account-linking (the Account Linking settings and Permissions settings). Thanks. — Ryan, Apr 17 '23 at 13:54
See also https://stackoverflow.com/questions/75967998/how-can-users-grant-permission-for-my-website-to-manage-their-amazon-alexa-lists/76025645?noredirect=1#comment134101402_76025645 Thanks! — Ryan, Apr 17 '23 at 14:35

How can users grant permission for my website to manage their Amazon Alexa Lists

2 Answers2

For the APP:

Linked