When exchanging the Amazon Alexa grant_code for an access_token, where are the credentials?

Question

I am trying to write the exchange and access endpoints and the docs here (https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/linking-an-alexa-user-with-a-user-in-your-system#h2_login) are not clear on a couple of things:

1. how is the call to exchange a grant code for access token made - is it GET with credentials in QS or is it a POST with credentials in a body?

2. Is the access token delivered only in the JSON for an intent call or is it set properly as a bearer token?

Answer 1

1. It's a POST with credentials in the request body. Amazon follows the Oauth2 RFC correctly in this case.
2. The access token is delivered by Amazon only in the JSON for the intent request and not properly set as a bearer. This is annoying.

In my case, I had to hack around it by first validating if the request was a valid alexa request which contained a session with an access token, then setting the HTTP_AUTHORIZATION header to Bearer <token>, then using existing request auth logic to authenticate (I was using Django with django-oauth-toolkit, so YMMV if you're using something else).

That code looks something like this:

    # get the access_token from the POST request
    if access_token is not None:
        request.META["HTTP_AUTHORIZATION"] = "Bearer " + access_token
        if not hasattr(request, 'user') or request.user.is_anonymous():
            user = authenticate(request=request)
            if user:
                request.user = request._cached_user = user

        if request.user.is_authenticated():
            # Do whatever with the logged in user