简体繁体 English

账号关联azure AD后如何从alexa获取accesstoken

[英]How to get the accesstoken from alexa after account linking with azure AD

原文 2018-04-24 09:27:18 1 2 amazon-web-services/ azure/ token/ azure-active-directory/ alexa

I tried to connect my Alexa AWS Lambda function (node.js 6.10) with Azure Activ Directory to my Azure-Cloud-API.我尝试将我的 Alexa AWS Lambda 函数（node.js 6.10）与 Azure Activ Directory 连接到我的 Azure-Cloud-API。 After reading the documentation from amazon and many tutorials I have now a working Account Linking.在阅读了亚马逊的文档和许多教程后，我现在有了一个有效的帐户链接。 That means, I can link the Account of the Skill inside the Alexa-App on my smartphone.这意味着，我可以在智能手机上的 Alexa 应用程序中链接技能帐户。

AccountLinking for my Custom Skill: {Data from my azure portal}我的自定义技能的 AccountLinking：{来自我的 azure 门户的数据}

Authorization Grant Type: Auth Code Grant授权授权类型：授权码授权
Authorization URI: {OAUTH 2.0 AUTHORIZATION ENDPOINT}授权 URI：{OAUTH 2.0 AUTHORIZATION ENDPOINT}
Access Token URI: {OAUTH 2.0 TOKEN ENDPOINT}访问令牌 URI：{OAUTH 2.0 TOKEN ENDPOINT}
Client ID: b9c6[...]bc60 {Application ID}客户端 ID：b9c6[...]bc60 {应用程序 ID}
Client Secret: {Client Secret}客户端密码：{客户端密码}
Client Authentication Scheme: Credentials in request body客户端身份验证方案：请求正文中的凭据
scope: openid范围：openid
domain: empty域：空
redirect urls: --> In Azure portal as ALLOWED TOKEN AUDIENCES and Reply URLs defined重定向 URL：--> 在 Azure 门户中定义为 ALLOWED TOKEN AUDIENCES 和 Reply URLs

In my aws lambda function I get the event request from alexa like the documentation says with properties for version, session, context, request...在我的 aws lambda 函数中，我从 alexa 获取事件请求，就像文档所说的一样，其中包含版本、会话、上下文、请求的属性...

My understanding of the documentation is, that the token I need for the Azure-Cloud-API-Request should be here: session.user.accessToken But this token doesn't look like the one I need and after my test runs I get always "Unauthorized" back.我对文档的理解是，Azure-Cloud-API-Request 我需要的令牌应该在这里： session.user.accessToken 但是这个令牌看起来不像我需要的，在我的测试运行后我总是得到“未经授权”回来。 The Token looks something like this and is 1252 characters long:令牌看起来像这样，长度为 1252 个字符：

AQABAAAAAADX8GCi6Js6SK82TsD2Pb7rqGN56iHT_YSxlSr1RAdXucGs0S3ykOaw0XZ1WnjJotqZAn9BH7agRbP0VQv2rnJuRw_aJil7 [...] JIEO2Ap4wuG-tTwiSmZBfbLhyYtwQmxLAkqiLApqFmBYcyu-dnzlVV4liDGyTQ7gAXufd3zt7QGmi3UfP1aL9f5NBeXbmxnU6FHRzF10QZa19pTQgNTtIK8oIAA AQABAAAAAADX8GCi6Js6SK82TsD2Pb7rqGN56iHT_YSxlSr1RAdXucGs0S3ykOaw0XZ1WnjJotqZAn9BH7agRbP0VQv2rnJuRw_aJil7 [...] JIEO2Ap4wuG-tTwiSmZBfbLhyYtwQmxLAkqiLApqFmBYcyu-dnzlVV4liDGyTQ7gAXufd3zt7QGmi3UfP1aL9f5NBeXbmxnU6FHRzF10QZa19pTQgNTtIK8oIAA

If I configure postman and send a request to the azure activ directory I get a accessToken like this (1168 characters long):如果我配置 postman 并向 azure activ 目录发送请求，我会得到一个这样的 accessToken（1168 个字符长）：

eyJ0eXAiOiJKV1QiLCJhbGc [...] Ezbk5aY2VEYyJ9.eyJhdWQiOiJodHRwczovL21ldGVvcmEtYXBwLmF [...] kY5MWVUUXdBQSIsInZlciI6IjEuMCJ9.KJco47-FdJ_eeqv38LL [...] YK_4JqCRDw eyJ0eXAiOiJKV1QiLCJhbGc [...] Ezbk5aY2VEYyJ9.eyJhdWQiOiJodHRwczovL21ldGVvcmEtYXBwLmF [...] ky5MWVUUXdBQSIsInZlciI6IjEuJL4QD...

This one looks like a jwt-token and if I copy this token directly in my aws lambda function and use this one for the Azure-Cloud-API-Request it works (until the token expires).这个看起来像一个 jwt-token，如果我直接在我的 aws lambda 函数中复制这个令牌并将这个用于 Azure-Cloud-API-Request 它可以工作（直到令牌过期）。

Now I'm not sure if there is a problem in my configuration of the account linking?现在我不确定我的帐户链接配置是否有问题？ Or do I have to do something with the token from alexa to get the real one?或者我必须对 alexa 的令牌做些什么才能得到真正的令牌？ Or is the real token somewhere else and I have to fetch it there?或者真正的代币在其他地方，我必须到那里去拿？

Thanks a lot for your help!非常感谢您的帮助！

Amazon Documentation "Alexa Skills Kit":亚马逊文档“Alexa Skills Kit”：

https://developer.amazon.com/docs/custom-skills/link-an-alexa-user-with-a-user-in-your-system.html https://developer.amazon.com/docs/custom-skills/link-an-alexa-user-with-a-user-in-your-system.html

EDIT (Solution) 11.06.2018编辑（解决方案）11.06.2018

Authorization Grant Type: Auth Code Grant授权授权类型：授权码授权
Authorization URI: {OAUTH 2.0 AUTHORIZATION ENDPOINT} + ?resource= + {Application ID}授权 URI：{OAUTH 2.0 AUTHORIZATION ENDPOINT} + ?resource= + {Application ID}
Access Token URI: {OAUTH 2.0 TOKEN ENDPOINT}访问令牌 URI：{OAUTH 2.0 TOKEN ENDPOINT}
Client ID: b9c6[...]bc60 {Application ID}客户端 ID：b9c6[...]bc60 {应用程序 ID}
Client Secret: {Client Secret} App>Settings>Keys new Key with expiration date = 2 years客户端密钥：{Client Secret} App>Settings>Keys new Key，有效期为 2 年
Client Authentication Scheme: Credentials in request body客户端身份验证方案：请求正文中的凭据
scope: empty范围：空
domain: empty域：空
redirect urls: --> In Azure portal as ALLOWED TOKEN AUDIENCES and Reply URLs defined重定向 URL：--> 在 Azure 门户中定义为 ALLOWED TOKEN AUDIENCES 和 Reply URLs

2 个解决方案

It sounds like you haven't completed the account linking sequence for your skill.听起来您尚未完成技能的帐户关联序列。 After setting the account linking configuration you need to open the Alexa app (on your phone or https://alexa.amazon.com ) and go to your new skill and link your account.设置帐户链接配置后，您需要打开 Alexa 应用程序（在您的手机或https://alexa.amazon.com 上）并转到您的新技能并链接您的帐户。 Once that is successful you will get a token in request.Session.User.AccessToken .一旦成功，您将在request.Session.User.AccessToken获得一个令牌。

The blog post: https://blogs.msdn.microsoft.com/premier_developer/2017/12/09/amazon-alexa-skills-authenticated-by-azure-active-directory-and-backed-by-asp-net-core-2-0-web-api-hosted-on-azure/ needs to be updated with the following:博文： https : //blogs.msdn.microsoft.com/premier_developer/2017/12/09/amazon-alexa-skills-authenticated-by-azure-active-directory-and-backed-by-asp-net- core-2-0-web-api-hosted-on-azure/需要更新如下：

You can ignore the sections about the "front end" app registration.您可以忽略有关“前端”应用程序注册的部分。
In Alexa account linking section update URLs to use login.microsoftonline.com instead of login.windows.net在 Alexa 帐户链接部分更新 URL 以使用 login.microsoftonline.com 而不是 login.windows.net
ClientId to be the Application Id of the "back end" app registration ClientId 是“后端”应用注册的应用 ID
The ?resource= has to be set and has to be the same as the audience parameter for the JWT bearer options. ?resource=必须设置，并且必须与 JWT 承载选项的受众参数相同。 This is ClientId if you use the .Net Core 2.0 template in Visual Studio.如果您在 Visual Studio 中使用 .Net Core 2.0 模板，则这是 ClientId。
The client secret (key) that is used can not be one that "Never Expires".使用的客户端密钥（密钥）不能是“永不过期”的密钥。 Use a 1 or 2 year duration.使用 1 年或 2 年的持续时间。

In addition to Nate's answer and following the addition of ?resource= to the Authorisation URI, I had to give the API permission Azure Active Directory Graph > User.Read on the App Registration and Grant Admin Consent to it.除了Nate 的回答并在将?resource=到授权 URI 之后，我还必须在应用注册上Grant Admin Consent API 权限Azure Active Directory Graph > User.Read并Grant Admin Consent 。

Without this permission, the account linking would throw an error.如果没有此权限，帐户链接将引发错误。 If you have similar issues, try your OAuth values with Postman and check the Postman Console for error messages如果您遇到类似问题，请使用 Postman 尝试您的 OAuth 值并检查 Postman Console 以获取错误消息