Is Alexa accessToken JWT encoded?

Question

After configuring OAuth 2.0 in Alexa skill, I'm seeing the accessCode value in Alexa requests:

{
"version": "1.0",
"session": {
    "new": true,
    "sessionId": "amzn1.echo-api.session.ee83f187-e2ac-4c4b-8aed-8ba4318f3f2f",
    "application": {
        "applicationId": "amzn1.ask.skill.db1bac88-183d-409c-9d3e-0e69fa0f5fe2"
    },
    "user": {
        "userId": "amzn1.ask.account.AGX2NO3NXXDS6NLEZMDZXMRZZPJ3DLEERYK7J3NUPFUYRADFB2HRILB7BZVTN336OFVSNFFUP3VDVFHERK5PKQE5H32EQ5GGWTT67EMDQKP22Q7NTXXNYDUTYNCYI6EJUEODQ54VHKW4JSWVCS7JINWLYH2LICQVETFGZBY6NBDJVEX66VCGCZMRTFZYAG2E3IXDPMPVF3U4VMY",
        "accessToken": "Atza|IwEBIP0j7B1xImJOKy0dTxYcNFzZq65Yk2WG9HeDvvKQPQALcs77zkf0_PcrifZ36HFYn5eq74aErU5QsPhlqCkMFU2H1EyLAKr3uPXFQxHWpI0p1Y9vJZ5MqPBEj-RxKyFuRc7IeYOA8L8Kz3BRJY7J96obb279WAWQe9HstuEWWeNSh9b9ZHrMKqW3ooPftt_0dTBYUSIE0ukmzwWsYrNa_HaMduby8gyTnV8pxFc6tWnwpMgs03T6rBoTOmTSC_7MzvW-wIRN4b9PjFi_7L_3Sd505MUmB9MhYp3LOhvkP5qj3J3lBFXV6FzGJ0N_v2ohg8pX4XglktyIm1GVOdBIhKjy_3aRzXqzSey7WVSbPeSpUwQoB8TLjDcom-A9_Ax3usqxGdpkHtyc7e67N0wbF6G_DjUth0m-SeOeG7FAr_yVbJo0DJfihriGcVRQ40oKehpHG1pvn2PpT98j3LKSC_Z9xFKgyxbZfM2vXdyTiiMMHIcB_u4mwLuXtrsYY-cQzSFrU_Chj3Tcrhj5Ts87ZecBNvnvdEGIa_FecO7CQUJjwIiKOai-gVwfvm6o4vYzC-0"
    }
},
"context": {
    "System": {
        "application": {
            "applicationId": "amzn1.ask.skill.db1bac88-183d-409c-9d3e-0e69fa0f5fe2"
        },
        "user": {
            "userId": "amzn1.ask.account.AGX2NO3NXXDS6NLEZMDZXMRZZPJ3DLEERYK7J3NUPFUYRADFB2HRILB7BZVTN336OFVSNFFUP3VDVFHERK5PKQE5H32EQ5GGWTT67EMDQKP22Q7NTXXNYDUTYNCYI6EJUEODQ54VHKW4JSWVCS7JINWLYH2LICQVETFGZBY6NBDJVEX66VCGCZMRTFZYAG2E3IXDPMPVF3U4VMY",
            "accessToken": "Atza|IwEBIP0j7B1xImJOKy0dTxYcNFzZq65Yk2WG9HeDvvKQPQALcs77zkf0_PcrifZ36HFYn5eq74aErU5QsPhlqCkMFU2H1EyLAKr3uPXFQxHWpI0p1Y9vJZ5MqPBEj-RxKyFuRc7IeYOA8L8Kz3BRJY7J96obb279WAWQe9HstuEWWeNSh9b9ZHrMKqW3ooPftt_0dTBYUSIE0ukmzwWsYrNa_HaMduby8gyTnV8pxFc6tWnwpMgs03T6rBoTOmTSC_7MzvW-wIRN4b9PjFi_7L_3Sd505MUmB9MhYp3LOhvkP5qj3J3lBFXV6FzGJ0N_v2ohg8pX4XglktyIm1GVOdBIhKjy_3aRzXqzSey7WVSbPeSpUwQoB8TLjDcom-A9_Ax3usqxGdpkHtyc7e67N0wbF6G_DjUth0m-SeOeG7FAr_yVbJo0DJfihriGcVRQ40oKehpHG1pvn2PpT98j3LKSC_Z9xFKgyxbZfM2vXdyTiiMMHIcB_u4mwLuXtrsYY-cQzSFrU_Chj3Tcrhj5Ts87ZecBNvnvdEGIa_FecO7CQUJjwIiKOai-gVwfvm6o4vYzC-0"
        },
        "device": {
            "deviceId": "amzn1.ask.device.AGUTTO7VCXPCUUSXNDCNO6LK7LZHUKPDGZBOXUOBNRNOBGD7FHBJWHOK3LJNQX4U47HTFLUXJ6MHBL6V7UCDNTWOMBJIP5R4R2ZVK3XJX42PEZG6J6TCS3U7NSYZZ3PDCUSH22CY7LYGNIK2MGXCUGR4ITQQ",
            "supportedInterfaces": {}
        },
        "apiEndpoint": "https://api.amazonalexa.com",
        "apiAccessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJhdWQiOiJodHRwczovL2FwaS5hbWF6b25hbGV4YS5jb20iLCJpc3MiOiJBbGV4YVNraWxsS2l0Iiwic3ViIjoiYW16bjEuYXNrLnNraWxsLmRiMWJhYzg4LTE4M2QtNDA5Yy05ZDNlLTBlNjlmYTBmNWZlMiIsImV4cCI6MTUzNjc0OTc3NywiaWF0IjoxNTM2NzQ2MTc3LCJuYmYiOjE1MzY3NDYxNzcsInByaXZhdGVDbGFpbXMiOnsiY29uc2VudFRva2VuIjpudWxsLCJkZXZpY2VJZCI6ImFtem4xLmFzay5kZXZpY2UuQUdVVFRPN1ZDWFBDVVVTWE5EQ05PNkxLN0xaSFVLUERHWkJPWFVPQk5STk9CR0Q3RkhCSldIT0szTEpOUVg0VTQ3SFRGTFVYSjZNSEJMNlY3VUNETlRXT01CSklQNVI0UjJaVkszWEpYNDJQRVpHNko2VENTM1U3TlNZWlozUERDVVNIMjJDWTdMWUdOSUsyTUdYQ1VHUjRJVFFRIiwidXNlcklkIjoiYW16bjEuYXNrLmFjY291bnQuQUdYMk5PM05YWERTNk5MRVpNRFpYTVJaWlBKM0RMRUVSWUs3SjNOVVBGVVlSQURGQjJIUklMQjdCWlZUTjMzNk9GVlNORkZVUDNWRFZGSEVSSzVQS1FFNUgzMkVRNUdHV1RUNjdFTURRS1AyMlE3TlRYWE5ZRFVUWU5DWUk2RUpVRU9EUTU0VkhLVzRKU1dWQ1M3SklOV0xZSDJMSUNRVkVURkdaQlk2TkJESlZFWDY2VkNHQ1pNUlRGWllBRzJFM0lYRFBNUFZGM1U0Vk1ZIn19.R4GgGcxPUNtYsjulREFD_a0n2L1RHoI9yC6wS5lHQ7t_ZCcBvL2CrCtjdHpSyL3y7x6QJzQP-iARDmw5T1MKISa3iXuopGj-7MuSfUiyUX3aq2PZR5iuKKL0ZtnmuHSEGB5QcVJ6KaKRj3RmvflhE7x6JGbnFR7L8f2zusQl9s-7H14-FHE9ZPIp52rzhFMgTyrsX39Jt0CQlEX9J1JpAUej9SHmUtCV4PK1_uOOxdToqhQId1L4Vs8h9q5CDF-W4moDV5CQAwbZzU8MuOcdjMD5FtTn1V_eQMSZu4FwyHk3BXexxJxAtP-7jiL0qdCQ9aVT5sLuLr8scfisuujUEA"
    }
},
"request": {
    "type": "LaunchRequest",
    "requestId": "amzn1.echo-api.request.c8780c62-a494-4fbc-b071-4d9e9ead3504",
    "timestamp": "2018-09-12T09:56:17Z",
    "locale": "en-US",
    "shouldLinkResultBeReturned": false
}

}

This code however doesn't seem to be a valid JWT token:

Is that so, or am I doing something wrong (perhaps providing a different algorithm)?

Does Alexa's `accessToken' comply with any token standard?

Thank you in advance.

the `apiAccessToken` is a JWT, easy to recognize because it starts with `ey...`. I would not post this here, as it contains your userID and deviceID, not sure if that might cause security problems. — jps, Sep 12 '18 at 11:51

score 1 · Accepted Answer · edited Sep 28 '18 at 19:14

1

Alexa just passes the accessToken that it receives from the Authorization server. It is completely up to the Authorization server which type of token it issues.

The Accesss Token is a credential that represents the end user (resource owner) in another system. A token should identify the user in the other system.

If the account linking was successful, Alexa now stores an access token (provided by the other system) that identifies the user in the other system. This token is now included in all requests to the skill, so the skill can access the user's information in the other system when needed.

edited Sep 28 '18 at 19:14

Simeon Leyzerzon

18,658
9
54
82

answered Sep 12 '18 at 12:14

johndoe

4,387
2
25
40

Is it possible to somehow obtain the real `userId` (from the token or otherwise) that a user supplied during account linking and not a autogenerated by Alexa (`amzn1.ask.account.[unique-value-here]`) as asked in https://stackoverflow.com/questions/54699087/does-can-alexa-replace-its-generated-userid-for-a-linked-user and https://stackoverflow.com/questions/54700595/how-to-obtain-userid-specified-by-alexa-user-during-account-linking? – Simeon Leyzerzon Feb 15 '19 at 20:35
This implies that the id is different depending on the execution env (platform): https://stackoverflow.com/questions/41582708/how-to-get-an-alexa-userid?rq=1 We are not seeing this behavior. What may we be missing? – Simeon Leyzerzon Feb 15 '19 at 20:36
The authn/authzn system against which account linking will be done in prod is located outside the boundaries of our organization and therefore we'd like to get to a real userId being passed to us via Alexa's request somehow. Is that possible? – Simeon Leyzerzon Feb 15 '19 at 20:39

Is Alexa accessToken JWT encoded?

1 Answers1