I am working on a skill where i want to link the skill to a 3rd party api. The issue is the 3p server does not have Oath enabled and works off on username/password authentication.
I wanted to understand what are my options here. Can i create a middleware which works on oath authentication and then calls the api via username/password?
Any pointers on this would be great to help me move forward.
Amazon's account linking system is made mainly for services with OAuth 2 authentication, or no authentication at all. It doesn't support services that require authentication that cannot support the OAuth 2 standard.
Since you don't control the 3rd party API your options are, hence, more limited.
Technically speaking, it is feasible to create your own 'middleman' credential service, which implements OAuth 2 and serves as a proxy to talk to the external 3rd party API. However, this would violate Amazon's security policy, which states: "you may not handle, store or transmit credentials on behalf of the user." So your skill may not be allowed if you try to do it this way. Even if it were allowed, it's pretty risky storing plaintext credentials on your server for users in this way.
Since (I assume) you don't control the 3rd party API, there's not really any way you can do this with Amazon's account linking feature.
