I am building a Smart Home skill for Alexa, and as part of the skill, I need to use the Login with Amazon OAuth server. I have managed to get to the point of handling the initial authentication of the user by handling the AcceptGrant directive and requesting access tokens from LWA. The problem that I am having is how to uniquely identify the user after the authentication is complete.
Amazon's documentation states the following about uniquely identifying customers:
Store the access and refresh tokens with the grantee access token so that you can always associate the tokens with the customer. Store the tokens in a secured location, such as Amazon Web Services (AWS) DynamoDB or a secure token store in your device cloud.
I have followed this advice and, as part of the authentication process, I use a simple DynamoDB table to store the grantee token as the primary key and the access and refresh tokens as associated with it. Then, when a future request comes in, I use the access token from the directive to look up the user in the table. This works fine until the token expires, at which point, I am no longer able to identify the user, as I cannot find an entry in the database. I understand that I am supposed to renew the token, but how can I do that if I can't find the user for whom I am supposed to perform the renewal in the first place?
I have tried finding a solution in the Amazon developer documentation, but all I have come across is the following, and it is too vague to be helpful:
Once you have the token, verify that it identifies a user in your resource server. The token could become invalid for multiple reasons, for example:
- The user deleted or canceled their account with your service. For example, an Alexa user might have set up account linking with My Lights, then later canceled their My Lights account. At this point, the token stored by the Alexa service would identify a non-existent user.
- The token has expired, and the Alexa service was unable to obtain a new token. This can occur with an authorization code grant if your authorization server does not provide refresh tokens.