Account Linking with Amazon Cognito by Authorization Code Grant


If you would like to provide your SAAS.  Adding Voice Experience to your service is a good choice for the customer.

Voice Experience has a possibility that customer can use your service easier.

In this post, We show you to build the Serverless OAuth infrastructure and combining this your Alexa Skill.

Step by Step Summary

  1. Constructing Amazon Cognito UserPool
  2. Configuring Client App
  3. Create your Custom skill with Account Linking
  4. Acquire OAuth token



1. Constructing Amazon Cognito UserPool

At first, Creating User Pool on AWS.

Access to the Management Console, Select Cognito. Then select “Manage User Pool“.


Select “Create a user pool

Select “Review defaults


In this post, All configuration is a default. (User is authenticated by email)

Select “Add Clients


before going, Checking the Client information.

client_id” and “App client secret” will use Step 3.


2. Configuring Client App

There are two authentication types in OAuth2. The one is an implicit grant, and Auth code grant.

Implicit grant can use the use-case which user needs to authenticate every time when The Access Token had expired.

Auth code grant can use the use-case which application needs to update Access Token automatically.

For Alexa Skill,  Auth code grant is the better way to acquiring an access token.  Because Alexa has a feature that Access Token automatically updated.


To do this, Configuration is really easy. Just checking the “Authorization code grant” checkbox. and For authenticate by email, check “aws.cognito.signin.user.admin” in the Scopes.


In the Domain name, most of the use-cases are needed a custom domain for authentication.  Add Your own domain and Enter “Domain name” and “AWS managed certificate“.


Attaching is in progress….


You will find the Alias target (“”) on the screen. Add the URL as an alias record(A record) to your Hosted Zone on the Route53.

When attaching is finished, Domain status transits the “ACTIVE“.


Almost done.

For the test, Add the redirect URL to the Callback URL(s).


OK. Let’s access sign in page.


3. Create your Custom skill with Account Linking

Make a custom skill using the Fact Skill tutorial.

(Any other skills which are able to call can use as an alternative.)


Then, In Alexa Developer console, Add the Client Information.

In the same screen, Write down Redirect URLs. These URLs needs later.


Back to the Amazon Cognito Screen, Set the three Redirect URLs to the Callback URL(s).


done. You finished configuring Account Linking!

Let’s test!



4. Acquire Access token

When the skill was called, You can find the access token in the Request.

(Cloud Watch Logs)

ASK-SDK for Node.js のCode Snipet

const Axios = require('axios');
const HelloWorldIntentHandler = {
  canHandle(handlerInput) {
    return handlerInput.requestEnvelope.request.type === 'IntentRequest'
      && === 'HelloWorldIntent';
  handle(handlerInput) {
    const accessToken = handlerInput.RequestEnvelope.session.user.accessToken;
    const speechText = 'Hello World!';
    const headers = {Authorization:  `bearer ${accessToken}`,  'Content-Type':  'application/json'};
    const Axios.get(url, headers);
    return handlerInput.responseBuilder
      .withSimpleCard('Hello World', speechText)



With using Cognito, You can build the scaffold of OAuth2 flow much easier.

And, You don’t need to maintain the user resource in your own database.

And, You can build Voice User Experience with your customer resources.


For more information:



More naturally interface. More Humanic interface.

HUMAN CENTRIC (Dr Warner Vogels at re:Invent 2018)