OAUTH access for Amazon Alexa Skill

Hi. Having a good experience with Garadget. No problems at all with installation or use. Nice.

I’ve coded an Alexa Skill for Garadget that works with a hard coded deviceId and access_key and now I want to link to the user accounts and extract these values by using OAUTH so the skill can be used by others. This is where the problem is.

Authentication through api.particle.io/oauth/authorize works for my dev account on particle but doesn’t authenticate my garadget login. Even outside of Alexa, using curl and following OAUTH for particle cloud, my garadget login won’t authenticate. Should it? What am I missing here?

I followed the process here to test authentication (again authenticates my dev account but not my garadget login which fails at step 2):
https://medium.com/bright-contrast/5-easy-steps-to-three-legged-oauth-in-the-particle-cloud-1f966c6bc7e2#.xqoyeqs6f

OK, My best guess is that I need to have the Garadget Team grant my application access via client authentication on the Garadget Particle account. Is that correct? Is that possible?

Thanks for your effort!
Yes, it takes a scoped auth token. I’ll get you one later today.

Per Particle documentation:

Creating OAuth client can still be done directly against the Particle API. For info on this, see reference documentation on creating OAuth clients.

This is how Garadget’s web app authenticates accounts. The downside of this is that if there is a generic particle account with the same email address, this creates ambiguity, which is what you probably experience with yours.

I’m still going to send you the narrowly scoped auth token so it can be used for logins to Garadget specific accounts.

Looked into it some more. Please check out this doc. Product id slug is for Garadget is garadget-v13. Please let me know if this doesn’t work or if you need any other assistance.

Thanks for the quick reply, I really appreciate your help.

I should give you a bit of background.

When a new skill is enabled by an Echo owner the skill, if necessary, may request “account linking” for
access to users cloud account.

When the user selects the “Link Account” button they will be redirected to, in our case, the Particle login page for OAUTH. They login to the page, click ok to accept account linking and are returned to the Amazon Alexa site. I’m sure your familiar with this process when linking to Facebook from 3rd party sites and things like that.

I can recreate the process by the following procedure.

Send the following curl command to register the application and get the client_id and secret. (This is only done once and resulting client-id and secret is entered into the Alexa Skill configuration page.) Note: you can also create a client-id and secret from within the particle IDE using the fingerprint icon.

**Step 1:** SKILL-NAME: this is the name presented to the user on the login page. e.g. "Linking to SKILL-NAME" URI the URI to redirect to after authentication (must be https). For testing just use https://google.com TOKEN access token value taken from build.particle.io IDE->Settings page.

> curl -d name=SKILL-NAME -d redirect_uri=URI -d type=web -d access_token=TOKEN https://api.particle.io/v1/clients

This will return JSON
{
“ok”: true,
“client”: {
“name”: SKILL-NAME,
“type”: “web”,
“secret”: SECRET,
“redirect_uri”: URI,
“id”: CLIENT-ID
}
}

If successful you have now registered your application for 3 leg OAUTH.

Using the CLIENT-ID we can now begin the authentication of a user so enter the following into your browser:

**Step 2.** CLIENT-ID from above STATE This is a unique value generate by me which will be sent back from Particle Cloud to prevent a CSRF attack.(any value will work)

https://api.particle.io/oauth/authorize?client_id=CLIENT-ID&response_type=code&state=STATE

You should see the Particle Cloud OAUTH login page and after authentication be given to option the link to your application.

The problem I see is that I cannot log into Particle Cloud with my Garadget credentials in the browser at step 2. Other credential (different emails) login ok and redirect. I've changed my Garadget user:pass and it still wont authenticate. The Particle Cloud OAUTH login page refuses to accept Garadget login user:pass.

Since the only parameter that can effect the process is the TOKEN from step 1, I suspect that may be something you have to provide me with to allow authentication of your users. But I cant find any documentation to confirm which account supplies this value, your account or my account. Possible it has the access level you allow me to have to your customers data and is generated by you.

Could I ask you to please try the steps above with your account TOKEN and confirm that this login process works for you or not?

Thanks again.
Chris.

I tested the following URL:

https://api.particle.io/oauth/authorize?client_id=garadget-alexa-1884&response_type=code&state=test

Where garadget-alexa-1884 is a valid client ID of type web, but the form doesn’t work right: no error message, just an empty message box. I’m looking further into this.

I suspect the implementation of this involves hosting a form on the garadget.com making a server side request to particle API. I’ll be digging deeper into this to figure it out.

Thanks for confirming the problem and eliminating the token as the cause.

I’ve just seen your post on Particle Community and your description of the problem is exactly the way I see it.

Unfortunately, with Alexa there are no options for account authentication other than linking, so I hope they come back with a practical solution.

Thanks again for your help and I’m glad I chose Garadget.

Garadget has done a great job and I now can authenticate and link accounts to my Alexa skill.
This means that Alexa will be able to access your Garadget controller with your account details.

Still a bit of work to do but a major technical problem is now fixed.

Hope you had a great Christmas. I’m still recovering.

Making some good progress with the Alexa skill. Implementing a usable voice interface for multiple doors has proven problematic however looks like most of the technical problems are behind me.

Hoping to be in beta in maybe 2 weeks.

I was thinking of a solution for the open door security issue. It’s a bit clunky but would work with minimal effort. To enable a door to open via Alexa the user would have to append something to the door name in garadget settings. The Task would look for the appended word/character in the device name and allow open commands.
By default all doors are disable, if user asks to open, Alexa would prompt them to change the device name and warn about security issues.

Again, its not pretty but it would work. OK with you?

We had good Christmas and New Years party is still ahead. This doesn’t help with focus, but I’m trying to get things done here and there.

Re. multiple doors: I understand that in case of multiple doors each will have to be identified by name. Right? For a single door setup though, it’s preferable to not have to identify the door.

Re. security: we can do a naming convention approach as you described in the short run, but for the final version I’d prefer a separate configuration parameter. I can add one to the device or we can look into capabilities of echo’s server component.

I’m lighting up the barbecue for New Year. It’s stinking hot here at the moment. We’re hoping it cools down a bit before then.

Re. multi doors.
Yes, the skill will ignore door names for a single door account. For a multi door accounts Alexa can tell you the door names and respond to open/close/isopen/isclosed/hardware status with the door names or “all”. Multi door accounts will need to have appropriate (pronounceable and unique) names.

Re Security.
My preference would be that when the skill checks the doorStatus the JSON would contain an enable Boolean. That would be the cleanest for me. However, I understand that may not work for you. I’m happy to look at it after beta release.

I have no Garadget skill listed on Echo?

@lds9525, please see this post for current status of the Echo skill.