Back to all discussions

  •   about 5 years ago

Problems authenticating with Amazon

Hi,
I'm trying to connect to Genome Link through Amazon's Alexa app, but I keep getting errors. First I tried getting an authorization code grant. Amazon generated the uri with correct client_id and scope:

https://genomelink.io/login/?next=/oauth/authorize%3Fclient_id%3D09pyX31RBM9tzg408RpAMka3ZPLVVBG6wjmXnAzz%26response_type%3Dcode%26state%3DA2SAAEAEMV_-YKeG7ut51tc-c-dce4BsGmxF27EGyeDZZUBRzEe45vdFZqqYqsjm77b0kZ9fbngr7Ftof-zaJ2biEiQZVc2eiPErRzJ4kT_A8iO0tzSFnb6zZaRlxYJpKsSpB5DiXpasIcwhqf87zUku3Ldjfv6qgL02rWtxb_SrPHabYiMgj-V-vCXotYfHrqU1z5YJ398XxqnlSRMEftaCEguP9XetiTsI0XzbvSQYpX17qOdXV5iCl484v5tervoY9NbmG7gq0PvM6UwO9vW3q8z4ruSv3Oy6dYHREfiEson-bSGm-CbiJ3LC-fewVCWddsmSTKZbauVgAdobwfUWHcZRi_4w38f7sf5uAt_m0K9WZvHbjcVW5z5a7xiW1A7cbebbpP2VebSTO2BTrNFyoX-YpSuqIni1bYHjUeAIYVCF5PC1VTk1rOJiMoCjBzevE7hSVyiKO1gjTnP463uu5SpX8HjVjXgihPIkrzeoqzzvfgITuEgMjZAD9i6-_FnFQMmC7TfAm8MSJtCn1ElUwKup9M2PdfiYNG4mKHsVDVkM9eu8P25EiZ2-6UjxItL7gS-OUGxA1MK4152e2R5t2QaZgBVxw%26scope%3Dreport%253Aanger%2Breport%253Aagreeableness%2Breport%253Aconscientiousness%2Breport%253Adepression%2Breport%253Aextraversion%2Breport%253Aharm-avoidance%2Breport%253Aneuroticism%2Breport%253Anovelty-seeking%2Breport%253Aopenness%2Breport%253Areward-dependence%2Breport%253Agambling%2Breport%253Asmoking-behavior%26redirect_uri%3Dhttps%253A%252F%252Fpitangui.amazon.com%252Fapi%252Fskill%252Flink%252FM5EY97U4728AA

which seemed to work and took me to the GenomeLink login page. I typed in `test-user-1` for username and `genomelink.io` for password and got an error page back from Amazon with the message

The authorization server returned with an error parameter. Please refer to https://tools.ietf.org/html/rfc6749#section-4.1.2.1 for more details.

They didn't specify the error in the message, and I'm trying to figure that out from their end. In the mean time, I also tried using implicit grant. My app sent with correct client_id and scope:

https://genomelink.io/login/?next=/oauth/authorize%3Fclient_id%3D09pyX31RBM9tzg408RpAMka3ZPLVVBG6wjmXnAzz%26response_type%3Dtoken%26state%3DA2SAAEAEIkaakTWeNHZJLRTNtjjNgIBwLjs8ve6ryu515YNJxMfYqCplVGckSSBGKfADyKPfhqJTms0X82_x0TnqT0H7zDVY9RxuFqgyANRT_r12iFolpLjw1GqojuhArz0XaxN1e_vNSCSwW7zyGvJ6G81-zRR2K00lE1zuMkN0hjS3GuM9pRS850W4nafz4odCiAuCa9iISwjrNDaU7J6XB3tKogPsl06QQ4KV4_wHplrUt4-R5WWqaiYrj0IQIQrx7lEgE-FyxfqEA9soWindgZhJrRHX0vMTCErF-kcti3XmLEx1uBStY_qmMhizjq1WW-0MYjqBR8xVDkAUVBnHIBcqIpPscTaJVmWVDMAd-TurPB-EU0oPRtI0NfcyfJ7BLpevp0tIvDGBCk8e1OfVuQzxGsv9EyfueOXgq789o9fDx9CJqMba-Hpm7kNfXDc_weZwCqgLa-TU9oF4h_Q6hnsVvWj43KfGERiGg8yspTXGQ0YK3iXOjw01DqppzMfP0wGV0CSsqocx8FTv2oYPhFFwTJN2hrAuQSQJidgYe-4qmVgqyKlMXbicK1CJGRRe8eC0bwgWsEYAoVZDQPOv3WhHnWUdW8EpE0f8s-RvUFDplqv3WI%26scope%3Dreport%253Aanger%2Breport%253Aagreeableness%2Breport%253Aconscientiousness%2Breport%253Adepression%2Breport%253Aextraversion%2Breport%253Aharm-avoidance%2Breport%253Aneuroticism%2Breport%253Anovelty-seeking%2Breport%253Aopenness%2Breport%253Areward-dependence%2Breport%253Agambling%2Breport%253Asmoking-behavior%26redirect_uri%3Dhttps%253A%252F%252Fpitangui.amazon.com%252Fspa%252Fskill%252Faccount-linking-status.html%253FvendorId%253DM5EY97U4728AA

Which also seemed to work and bring up a login page. Again I typed in `test-user-1` for username and `genomelink.io` for password, and this time the genomelink server gave me an error:

Error: invalid_request
Mismatching redirect URI

I'm not sure what is wrong here. My redirect uri listed in my genomelink panel is:
https://pitangui.amazon.com/api/skill/link/M5EY97U4728AA

I do know that Amazon expects the implicit grant uri to have `state`, `access_token`, and `token_type` (should be `Bearer`) passed back in the URL fragment portion of the URL (after the hashtag `#`). I'm not sure what my next step should be to troubleshoot this situation. Any suggestions?

  • 7 comments

  • Manager   •   about 5 years ago

    Hi,

    > connect to Genome Link through Amazon's Alexa app

    Cool.

    I guess by using `next` parameter for logging in to `/oauth/authorize` page might lose rest of parameters. Normally, we generate the authorization URL as below:

    ```
    https://genomelink.io/oauth/authorize ...
    ```

    Instead of

    ```
    https://genomelink.io/login/?next=/oauth/authorize ...
    ```

    Hope this helps!

  •   •   about 5 years ago

    Hopefully not to late, (deadline tomorrow!), in case Kensuke's advice didn't manage to fix it my project was a guide for this exact problem. All my code is free (public domain) and I'd be delighted if you used it to help solve your issue :)

    https://devpost.com/software/genome-link-aws-lambda-demo-alexa-skill

  •   •   about 5 years ago

    @domdomegg I don't know if I can get it working in time, but I don't think this is a code error, since it works fine if I just use one of the test tokens like `GENOMELINKTEST001`. Perhaps it is something in the setup of my lambda with Amazon or some connection setting. I found your `README.md` helpful - I had not been using the right accessToken URI, but fixing that did not change anything. After clicking on "Account Linking" on the Alexa App, it does not go to the login page, but rather gives the error page:
    ```
    We were unable to link genomeMatch at this time.

    The authorization server returned with an error parameter. Please refer to https://tools.ietf.org/html/rfc6749#section-4.1.2.1 for more details.
    ```
    It might be something I overlooked. This is the first time I've tried to code a skill in Python instead of Javascript, and the Node.JS SDK might do some setup that I'm not aware of.

  •   •   about 5 years ago

    Looking at https://tools.ietf.org/html/rfc6749#section-4.1.2.1 some of the solutions to the errors are:

    unauthorized_client/access_denied:
    Make sure you specify the Redirect URIs in the GENOME LINK console, copy and paste them from the Amazon Developer portal.

    invalid_scope:
    Ensure you have the same scope set in both the GENOME LINK console and the Amazon Developer Console - make sure to include the `report:` part.

  •   •   about 5 years ago

    Oh you also might be able to check AWS Cloudwatch Logs to see if anything turned up there - I kind of doubt it but it can't hurt to at least check.

  •   •   about 5 years ago

    @domdomegg Thanks for the thoughts, Adam. I had already checked the Cloudwatch logs and included the `report:` part in the scope, but your suggestion pushed me to check it again, and I found there was one extra entry in the scope on the Genome Link side. Removing that made it work! The only problem I have now is that my app needs to log in multiple times to get different tokens for different logins. I'm not sure how to programmatically force a logout, so the user has to do it manually. Anyway, thanks for the help!!

  •   •   about 5 years ago

    Glad I helped, I look forward to seeing your skill :)

Comments are closed.