marcy-terui / serverless-alexa-skills

Manage your Alexa Skills with Serverless Framework
https://www.npmjs.com/package/serverless-alexa-skills
MIT License
71 stars 13 forks source link

Auth with code grant and implement auto-refresh #3

Closed evaneaston closed 6 years ago

evaneaston commented 6 years ago

The ASK toolkit will perform an authorization code grant instead of an implicit grant and then refresh the token when it expires. This this would be a great addition to this project.

Then you can set up continuous integration flows where you authenticate once, sync the local token with an encrypted secret store (e.g. KMS encrypted and stored in a private S3 bucket), and then have CI pull the latest token, do a deploy, and push the token back to the secret store whenever it changes.

jonnedeprez commented 6 years ago

We have the same requirement, as we want to deploy skills from CI.

A relatively easy approach would be to add a command to the plugin that refreshes the tokens in .serverless/.alexa-skills-token.json, by using the current refresh token in the same file.

I'm thinking of something like serverless alexa refresh-auth. Another, maybe even better, option would be serverless alexa auth --refresh-token "Atzr|abcdef...", where the existing command is used but with the refresh token provided explicitly. When this parameter is present, instead of opening the Grant page in a browser, the plugin sends a refresh POST request to the OAuth API.

The first step in the build process on CI would then be to invoke this command, with the token loaded from a secrets store.

If you think this is an ok approach, I'm willing to provide a PR.

captnCC commented 6 years ago

@jonnedeprez I would love to have this functionality, have you already a solution for this?

jonnedeprez commented 6 years ago

Yes, I do, but I deploy the skill with ask-cli. Using ask cli I got a refresh token on my local machine and stored it on CI as a secret (look inside ~/.ask). These refresh tokens never expire, so you can keep refreshing access tokens using the same refresh token. Then on CI, I run the following in a bash shell (it basically tricks ask-cli authentication):

mkdir -p ~/.ask
curl -X POST https://api.amazon.com/auth/o2/token \
  -H "Cache-Control: no-cache" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token&refresh_token=$AMAZON_REFRESH_TOKEN&client_id=$AMAZON_CLIENT_ID&client_secret=$AMAZON_CLIENT_SECRET" \
  | cat <(echo "{\\"profiles\\":{\\"default\\":{\\"aws_profile\\": \\"default\\",\\"token\\":") <(cat -) <(echo "} } }") > ~/.ask/cli_config   

then you can use commands like

ask api update-model ... 
ask api update-skill ...   

and ask cli will already be authenticated.