Bringing this bug to the community to see if there’s a workaround: auth0-angular/issues/666 (can’t post the full link so will have to be looked up)
Summary: To integrate Auth0 with Alexa, I need to make an authorization request to get a token to call my API with. I have to use my com.abc.abcapp url as the redirect_url in order to get Auth0 to properly send me back to the app (i.e. trigger an “appUrlOpen” event in Ionic Capacitor). Once I have the token from Auth0, I call Amazon to get a token from them.
Amazon does not allow com.abc.abcapp formatted redirect urls so I use my https universal app link with them. I get the token from them.
Then I pass both tokens to the Amazon skill linking API. Amazon uses the Auth0 token to call Auth0 and also passes Auth0 the redirect uri I used (of https format).
That results in an auth0 log error of:
The redirect URI is wrong. You sent https, and we expected com.abc.abcapp
(trimmed out the example link because I can’t add it to a post…)
Since Auth0 doesn’t behave as expected with https universal links and Amazon doesn’t allow com.abc.abcapp links, there seems to be no way to get the proper tokens in an app from Auth0 to link Alexa…
1 Like
I should clarify that the first request to Auth0 is to get a token with the right audience and scopes to call an API.
Bump. Would pay someone to help with a workaround as the alternative is going to be to rip Auth0 out.
Hi @williamneely2888
Thank you for posting your question on the community and I am sorry about the late reply to your inquiry!
Unfortunately, as mentioned in this knowledge article, Auth0 does not support any non-standard app-to-app linking flow similar to the one for Alexa. As the article mentioned, you can try the following:
Perhaps you might use the standard prompt=none as explained in Configure Silent Authentication and specify code as the response type. However, that implies that your app launches a browser (and that browser must have a valid SSO session so that the user does not have to authenticate again) and that will likely break the native experience of the App-to-App scenario.
Otherwise, there is an item in our backlog regarding being able to return an authorization code natively within the application without using a browser, however there is no ETA on this feature at this time. I would advise to submit a post on our Feedback page regarding this to bring more attention to it!
If you have any other questions, feel free to leave a reply!
Kind Regards,
Nik
The prompt=none approach is what I am taking. Unfortunately, prompt=none with an https redirect redirects within the browser that is opened - even though the https redirect is an app link that should return to the app. The in-app browser method works with Alexa’s linking flow so I’m not sure what Auth0 is doing differently. Is there a way to turn off validation of the redirect_url so that I can use com.app.app notation for auth0 and https for alexa?
Or is this to say that there are no companies linking Alexa using Auth0?
Also just wondering if this is fairly common? The concern is that we want to integrate with a lot of different tools and we ran into this issue on the first integration. Was that just unlucky or?
Hi again!
When using silent authentication, you should be able to integrate Alexa with your application even through we do not directly support any non-standart app-to-app integrations..
You can review the documentation from Amazon regarding integrating Alexa.
Otherwise, do you have both the com.abc.abcapp and the https universal app link inside the list of Allowed Callback URLs inside the Dashboard? Also, make sure that your application’s redirect_uri also points to the correct URL specified in the Allowed Callback URLs. You can read more about that in our documentation.
Also, the validation for the redirect_uri cannot be disabled. As mentioned above, the integration is possible however it cannot be done through non-standart app-to-app integrations that Auth0 does not support, but by using workaround like Silent Authentication in the case of Alexa, they are possible.
If you have any other questions or updated on the matter, let me know!
Kind Regards,
Nik
For anyone stumbling on this issue - if you use window.location.href instead of Browser.open to call your /authorize endpoint (with prompt=none) with an https redirect_uri that should open the app, this will properly return you to the app.
I still consider this a bug in how Auth0 is handling the redirect since Amazon does not have this issue. But without knowing how Amazon internally handles the redirect vs. Auth0, I can’t pinpoint why they behave differently.