0

I am trying to create a skill that will reach out to an application that uses Basic authentication to render APIs (albeit i know this is bad practice). I was wanting to go down a route similar to account linking, however seems they enforce the usage of OAuth 2.0.

Is there an alternative to this or am I forced to use OAuth 2.0 in order to request APIs to a 3rd party application?

My wanted workflow:

  1. customer enables skill
  2. Skill card request for username/pw combo
  3. after setup, the skill can be utilized fully

Not sure if its helpful, but Im using Lambda to run my skill source code.

LostJon
  • 2,287
  • 11
  • 20

1 Answers1

0

That is a terrible practice.

First of all, what if your user's password includes case sensitive letters and numbers and possibly other characters?

You can use Literal Slots but they are not case sensitive and probably won't return a number-word combination either. For example your user's pass is Word123 literal slots may return word one two three https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/alexa-skills-kit-interaction-model-reference#literal-slot-type-reference

I am not sure if you can force user to spell his password's characters and so then you can try to detect the password though... Again this sounds like a terrible practice.

So as you mentioned: Users link their accounts using the Amazon Alexa app. Note that users must use the app. There is no support for establishing the link solely by voice

I guess you have to do the linking the way amazon requires

https://developer.amazon.com/blogs/post/Tx3CX1ETRZZ2NPC/alexa-account-linking-5-steps-to-seamlessly-link-your-alexa-skill-with-login-with-amazon

SpaceDust__
  • 4,844
  • 4
  • 43
  • 82
  • Thanks for the response...was wondering if someone would get to me on it! I agree that using voice to input username/pw is a bad idea...however, imagine i am trying to create a skill to fetch my internal bug system to a company. I could do the following: 1. enable skill 2. add creds and host at the time of skill enablement. 3. now skill can render APIs Im not here to discuss good/bad practices with API authentication...you likely know that companies (especially large) take forever to migrate their legacy apps to new technologies. – LostJon Jan 05 '17 at 18:29
  • So, the idea is almost creating an on premise support for alexa, so I (as an enterprise company) can issue skills that wrap APIs under the hood. Whats interesting is there is some support for Alexa w/ Basic Auth...hell, look at the ability to add Pandora or Spotify accounts. Same concept.. – LostJon Jan 05 '17 at 18:30
  • I didn't understand the last part, I am pretty sure spotify uses alexa app to link with spotify account, and also Spotify or pandora are launch partners with Alexa, they get to use special APIs such as audioplayer, that was not available for other developers earlier this year. – SpaceDust__ Jan 06 '17 at 16:05
  • It does use the app, but it comes preloaded with the Alexa app (not really available for general use). I would also need to specify a unique host per skill enablement. Spotify nor Pandora use the account linking methods provided by AWS. – LostJon Jan 06 '17 at 16:23