Authenticating Alexa Skills With OneLogin
Over the last six years, voice based digital assistants have become a natural part of many households. I have three Amazon Echo devices of different sizes and ages.
For developers, Alexa skills offer a great opportunity to offer existing applications to new users via Alexa voice commands — or create new voice-oriented apps entirely. But you don’t want to make your Alexa skill available to just anyone. You might want to limit it to registered users. I had developed several useful skills in the past, but it wasn’t until very recently that I tried adding authentication to them.
You can use Onelogin with Alexa account linking to add authentication to your Alexa skills quickly and easily. In this article I will show how to create a simple Alexa skill using Java and add authentication using OneLogin OpenID Connect.
Before we begin, let’s go over what you’ll need to complete this tutorial.
First, you’ll need an OpenID Connect-enabled app from the OneLogin Developer Portal. Follow this guide to get an application created. You will need the following information for later, which can be found on the SSO tab of your application:
- Client ID
- Client Secret
- The Issuer URL (v2)
You’ll also need:
- Alexa Skills SDK for Java here
- Familiarity with Alexa Skills and AWS Lambda functions
- Java 11 and Maven
Creating an Alexa skill
Before we talk about adding user authentication, we first need to build an Alexa User Skill. We will be doing this in Java.
Let’s start by creating a skill with a simple feature: “Who am I logged in as?” I feel it’s important to know the basics of getting the user’s information within the skill and what you can do with that information.
First, go to Alexa Developer Console and log in with an Amazon account. Once you have done this you will be taken to the “Ask” dashboard, which includes your skills, earnings, and payments.
Click Create Skill, and enter a skill name along with the default language. My values were “OneLogin Auth Demo” and “English (UK)”.
Next, choose a model for the skill. In this case we want “Custom” so that we can build our own interactions.
Finally, choose the method of hosting the skill. We are using Java, which is not listed, so select Provision your own.
On the next screen, you will be asked to select a template. Choose Hello World, then click Create. You are then taken to the Skills page, which looks something like this:
Click Invocation Name in the Skill builder checklist, then enter an invocation name.
With an invocation name set, click Interaction Model from the left-hand menu and select JSON Editor. In the attached zip file that includes the code, there is a directory called “model.” Put the JSON file contained within it into this editor, or upload it through drag and drop. What is the Interaction Model and what is it for? This part of the skill provides how end users will interact with your Alexa skill. The file provided uses two interactions that are outside the usual Alexa Skill default interactions. The LoggedIn and WhoAmI intents.
Build the skill package
You can build the skill package in just a few steps.
Extract the zip file included with this tutorial and go to
OneLoginUserStreamHandler.java. Uncomment the following line and add your skill ID:
Go to the root directory of the package and run the following command:
mvn org.apache.maven.plugins:maven-assembly-plugin:2.6:assembly -DdescriptorId=jar-with-dependencies package
In the target directory you will find a file called “oneLoginUser-1.0-jar-with-dependencies.jar” which we will need in the next section when it comes to hosting our skill.
Host the Skill
We now want to host our skill. To do this we will be doing so as an AWS Lambda function. Log in to your AWS console (or create an account if you haven’t done so before). Search for “Lambda” and go to the Lambda Function dashboard.
Create a new function using Java 11 as the hosting environment and pick a name suitable for the skill you’re creating.
Upload the .jar file we created in the previous section. We have supplied the code used for this function since we are concentrating on getting authentication into an Alexa Skill using OneLogin.
Copy the ARN shown at the top of your Lambda function.
Add Alexa Skills Kit as a trigger for you lambda.
Back on the Alexa Skills Console, click Endpoint on the left-hand menu. Paste the ARN into the Default Region field, and copy the Skill ID. You’ll need to put it in the trigger of the lambda.
Once you have done this, your skill will be linked to your Lambda function.
Adding Authentication to the Alexa Skill
On the Alexa Developer Console in your skill, click Models on the left-hand menu, then click Account Linking.
In the Account Linking section we fill in the following basics:
Under Security Provider Information, select Auth Code Grant. This was selected by default for me. Fill in the following information:
- Your Web Authorization URI - This is your Issuer v2 Url with the suffix /auth.
- Access Token URI - Your Issuer v2 Url with the suffix /token.
- Your Client ID - The Client ID of your OneLogin Application.
- Your Secret - The Client Secret we copied from your OneLogin Application.
- Authentication Scheme - Select HTTP Basic from the list of available options
Scopes - The scopes I used for this skill are in the screenshot above, however these are:
- Domain List - This is your OneLogin domain. Do not include
https://. For example,
You may have added extra scopes into your application, and there may be extra scopes supported. To see the supported scopes for your application load your Issuer v2 URL with
/.well-known/openid-configuration as a suffix. This will show you the OpenId Configuration JSON which includes the ‘scopes_supported’ value.
Once you’ve filled in the information, click Save.
At the bottom of this Account Linking page you will find Alexa Redirect URLs. Copy these URLs.
At the start of the article we mentioned that you will need to have created an application in the OneLogin Developer Portal. We now need to go back to that application to configure the link between your Alexa Skill and the application you created.
Open the Configuration tab and add the URLs into the Redirect URIs textbox, one per line, and save.
We’re almost finished. I’m going to go through testing the skill, how we know our skill works, how the user is accessed within the Skill, and what you need from the Alexa Skills SDK to get the information made available by your authentication.
The first step is testing. Within the Alexa Developer Console and in the Skill you want to test there is a Test tab. This is where you can test your Alexa Skill. If you have an Amazon Echo and your Alexa Developer account is the same account as the account you are signed in on your echo, the skill is automatically installed onto your own devices.
Getting an access token
Take a look at the LoggedInIntentHandler.java file, which can be found in the source under the
/src/com/slevinth/oneLoginUser/Handlers directory. There you will find the following segment of code. This will give you the access token of the logged in user. If the access token is null, the user of the skill is not currently logged in.
String accessToken = input .getRequestEnvelope() .getContext() .getSystem() .getUser() .getAccessToken();
To get the user profile of the user, we make a call to the Amazon API:
String url = "https://api.amazon.com/user/profile?access_token=" + accessToken;
It gives us the user’s profile, as long as we have the profile scope selected in the Account Linking section of the Alexa Skill.
As we’ve seen, it’s easy to create an Alexa skill in Java and then add OneLogin authentication to it using Alexa account linking.
You’re not limited to using Java. AWS offers easy to use SDKs to create Alexa skills using Python and Node.js, but with a little extra work you can create an Alexa skill in nearly any programming language.
And no matter what language you use to create your Alexa skill, you can use OneLogin to authenticate your users!