What is the correct Access Token URI for AWS Cognito and Alexa account linking?

Question

I am a bit confused as to how to setup Cognito as a provider for account linking in Alexa. So far in Alexa, I have the following:

Authorization URL:

https://[domain].auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=[clientID]&redirect_uri=https://pitangui.amazon.com/api/skill/link/[random]

This is backed up by the docs for this endpoint. Then I would think that the Access Token URI would be following:

https://[domain].auth.us-east-1.amazoncognito.com/oauth2/token?grant_type=code&client_id=[clientID]&redirect_uri=https://pitangui.amazon.com/api/skill/link/[random]

This endpoint is also in the docs. But this does not work, and I also confused as to how Amazon passes the code from the auth endpoint to the token endpoint. I've seen people use:

https://pitangui.amazon.com/api/skill/link/[random]?grant_type=code&client_id=[clientID]&redirect_uri=https://pitangui.amazon.com/api/skill/link/[random]

Which is the account-linked redirect URI. In the Alexa app and in the Alexa site, I get redirect-mismatch. All the redirects match.

I can get this to work using the implicit flow just fine, but I need to get it to work with the auth code flow so I can have self-refreshing tokens.

Answer 1

I got it to work, here is what I had to do:

Auth Code Flow:

The Alexa Skill configuration page needs the following:

Account Linking:

Authorization URL: https://[your-cognito-domain].auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=[your-client-id]&redirect_uri=https://pitangui.amazon.com/api/skill/link/[vendor-id-amazon-gives-you]&state=[random-string-of-your-choosing]

The docs say that state is optional but I could not get the Auth Code flow to work without it.

Client Id: Same as the client id from the Authorization URL. This comes from the App Clients page in Cognito. This was a big gotcha for me, I thought this was random but no, it needs to match the above client id.

Domain List, Scope: I did not need these.

Authorization Grant Type: Auth Code Grant

Access Token URI: https://[your-cognito-domain].auth.us-east-1.amazoncognito.com/oauth2/token?state=[same-string-as-the-one-in-auth-url]

Client Secret: This comes from the App Clients page in Cognito.

Cognito App Client Settings:

Enabled Identity Providers: Cognito User Pools

Callback URL(s): https://pitangui.amazon.com/api/skill/link/[vendor-id-amazon-gives-you-in-alexa-config-page]

Sign out URL(s):https://[your-cognito-domain].auth.us-east-1.amazoncognito.com/logout?response_type=code&client_id=[your-client-id]&redirect_uri=https://pitangui.amazon.com/api/skill/link/[vendor-id-amazon-gives-you]

I am dropping the Implicit Grant here as a bonus:

Implicit Grant Flow:

Authorization URL: https://[your-cognito-domain].auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=token&client_id=[your-client-id]&redirect_uri=https://pitangui.amazon.com/api/skill/link/[vendor-id-amazon-gives-you]

As I said earlier, I did not have to use state here.

Client Id: Same as the client id from the Authorization URL. This comes from the App Clients page in Cognito. This was a big gotcha for me, I thought this was random but no, it needs to match the above client id.

Domain List, Scope: I did not need these.

Authorization Grant Type: Implicit Grant

Cognito App Client Settings:

Enabled Identity Providers: Cognito User Pools

Callback URL(s): https://layla.amazon.com/spa/skill/account-linking-status.html?vendorId=[vendor-id-amazon-gives-you-in-alexa-config-page]

Sign out URL(s): https://[your-cognito-domain].auth.us-east-1.amazoncognito.com/logout?response_type=token&client_id=[your-client-id]&redirect_uri=https://layla.amazon.com/spa/skill/account-linking-status.html?vendorId=[vendor-id-amazon-gives-you-in-alexa-config-page]