Account linking provides a secure way for the custom skill to connect with third party resource servers requiring authentication to access an end user’s identity. A custom skill may have functionality which has restricted access as it requests for the user’s personal information which is done through the account linking feature. On VOGO Voice platform a skill can be enabled without account linking. In such an instance the user will not have a personalized experience of the skill thereby missing out on some areas of its functionality. In short, the user’s all or partial experience depends entirely on whether the user has enabled the skill with or without linking to their account.
Account linking makes use of authorization server OAuth 2.0 which is an open standard format for authentication. It provides a simple, standards-based method to request user authorization from remote servers. Having the access token is a prerequisite for calling an API. By accessing an API (Application Program Interface), the Auth code grant type exchanges an authorization code for an access token on behalf of the skill who is considered the OAuth client. Implicit grant type is a simplified flow which bypasses the authorization code exchange step thereby returning the access token immediately.
In case, no access token is present, the custom skill will have to present the user an authorization card that they can sign into.
In the authentication process the skill or the voice enabled device tries to access information on a private/resource server for which the user has to sign in and allow permission for the custom skill to use those features. Though the skill is the OAuth client, there are certain functions that Alexa/Google Assistant performs, one of which is it visits the OAuth server and prompts for a sign in. The skill alone is considered the client as it is the only component that accesses the protected resources in the resource server. If the user complies with the request for data sharing, the OAuth server will authorize the consent on behalf of the resource owner/user and will send back an access token to the skill. Upon acquiring the access token, the OAuth 2.0 application which had initially made the request to the resource server on behalf of the resource owner with the resource owner’s authorization gains access to the resource server. Thus the skill uses the access token to request information from the resource server/database. The entire section of the screen which comprises the Account linking feature for the skill solely concerns with setting up a relation between the skill and the OAuth server.
In the section Security Provider Information the values for the listed parameters are provided by the OAuth provider. The fields are populated as these are the standard setting for OAuth server configuration.
Scopes as seen below represent the list of specific rights the skill is allowed to use from the users account. This information is provided from the OAuth provider.
The subsequent process of the Account Linking is marked by Alexa providing the redirect endpoint which receives an OAuth authorization code and requests an OAuth access token.
After verifying that all the necessary fields have been filled out, click on Upload Account Link on the right hand corner of the screen to link the account successfully.