We can personalize Alexa Skills by accessing our own APIs or the APIs of third parties from within our Alexa Skill. This allows us to have the customer’s data available in our Skill. For example, if we create a music Skill and can access the user’s Spotify playlists and preferred music, the user will feel at home – like the Skill is personally created for him/her. To realize such a personalized experience we explore the Alexa Account Linking feature with OAuth on the example of Spotify.
Let’s work with our Alexa Skill that needs access to Spotify playlists. The Alexa Skill has the role of an API client accessing the Spotify API. Spotify is the API provider; it provides the playlist data via API and protects the API with OAuth. The OAuth framework is a standardized, commonly used protocol for delegating access rights on the web and in web applications. It is a well-invested time, to learn more about the OAuth protocol.
When an API is protected with OAuth, this means that a valid OAuth access token is required to access the API. In our example, this means that the Alexa Skill needs a valid OAuth access token from Spotify if it wants to access the playlist API. How does it get such a token?
According to the OAuth protocol, the end-user, i.e., Alexa user, has to authenticate with Spotify first, then the client, i.e., Alexa Skill, has to authenticate with Spotify and if all checks are positive, Spotify may hand out the OAuth access token. This OAuth access token created by Spotify is stored in the user context of the Alexa Skill. This OAuth access token allows the Skill to make calls against the Spotify Playlist API in the name of the end-user, without the end-user having to authenticate against Spotify with each API access.
Account linking in Alexa means in more technical terms that an Alexa Skill becomes an OAuth client. This OAuth client can request, hold and use an OAuth token that interacts with the OAuth server according to the standardized OAuth protocol. In the following, we will walk through the steps necessary to get an OAuth token and thus create linked accounts.
There will be a series of posts on this topic:
- Part 0: Introduction to Account Linking via OAuth
- Part 1: Registration with OAuth Provider
- Part 2: Account Linking Configuration on Skill Interface
- Part 3: Skill Service: Get Access Token
- Part 4: Call Protected API from Skill Service
In my new book “Making Money with Alexa Skills – A Developer’s Guide” I describe not only how to develop, but also how to monetize Alexa Skills. Account linking is one of the possibilities for personalizing a Skill and make it unique – more practical approaches for personalizing Skills are described in the book. In this book, I explain in detail how to make Alexa Account Linking with OAuth and Spotify work.
In the OAuth 2.0 book, you can find a simple and understandable explanation of all the standard OAuth Flows (such as those supported by Alexa). What makes this book unique is that complicated OAuth interactions are visualized as easy-to-understand sequence diagrams.
Also published on Medium.