I want users of my Next.js TypeScript app to grant it permission to manage their Alexa Lists.
I figured this would be possible with OAuth2.
I figured I’d need to create a button in my website that takes the user to an Amazon URL that allows the user to grant my website permission to manage their Alexa lists (and then generates a code that it includes in a GET request that happens as a redirect to a "callback" URL that I registered as the redirect_uri when setting up OAuth2 in Amazon).
I figured the button would be a link to a URL defined like
const url = `${oauth2BaseUrl}?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUrl)}&response_type=code&scope=${scope}`;
This is generally how OAuth2 works, in my experience.
But I’ve found Amazon’s docs incredibly unhelpful.
I see permissions / scopes mentioned here called alexa::household:lists:read alexa::household:lists:write
.
I’ve set up my API endpoint (which I’ll specify at redirectUrl
) to exchange the Amazon authorization code for an Amazon access token following the code examples shown there.
I’ve set oauth2BaseUrl to be ‘https://www.amazon.com/ap/oa’ (found at https://developer.amazon.com/docs/login-with-amazon/authorization-code-grant.html).
For client ID, I’m using the one for my Alexa skill that I created. Is that correct?
I’m using Next-auth, but I’d be curious if there are any other libraries that could make any of this easier.
Here are permissions I’ve added in my Skill:
I always get:
400 Bad Request
An unknown scope was requested
But if I just use scopes these different scopes instead, I see it behave how I’d expect (but I lack List permissions): alexa::skills:account_linking postal_code profile:user_id
.
P.S. I also started setting up Login With Amazon, but I don’t understand why that would be necessary. I’m not looking to offer a federated login feature.
2
Answers
I got your ping from another thread. I haven’t used App-to-App account linking, so I don’t have a complete answer for you. But to my knowledge,
alexa::household:lists:read
andalexa::household:lists:write
are skill permissions (not OAuth scope). If enabled, the Alexa app would prompt for the user’s consent after the OAuth authentication flow.For example, here is the basic account linking flow (not App-to-App account linking) with the Alexa app on Android:
So granting the Alexa lists permission is not part of the OAuth in the basic account linking flow.
As an experiment, I tried adding
alexa::household:lists:read
as a scope in my skill’s account linking configuration, and it broke account linking — Alexa app would display an error message instead of opening the LWA page. So I don’t think they are OAuth scopes. It would also explain why you were getting400 Bad Request -- An unknown scope was requested
error.As for your scenario, are you looking to implement App-to-App account linking with the Alexa app flow or the LWA fallback flow? If it’s the latter, I suspect this may not be a supported use case based on my observation above. I would suggest reaching out to Amazon developer support to confirm.
In the "Web Settings" tab of your new security profile, add your redirectUrl to the "Allowed Return URLs".
And update your OAuth2 request URL to include the correct client ID and requested scopes for Alexa Lists
Next-auth does not directly support Alexa Lists API. Next-auth is an authentication library for Next.js, which simplifies adding authentication to your app. While it supports Login with Amazon, it does not provide built-in support for the Alexa Lists API.
You can use the amazon provider in Next-auth for Login with Amazon, but you would still need to handle Alexa Lists API calls yourself.
For the APP:
Create a component in your Next.js app to generate the OAuth URL and render the button:
Implement a Next.js API route to handle the callback from Amazon and exchange the authorization code for an access token: