What is the setup for Alexa Custom Skill w/ 0.77 Auth System?

Before Home Assistant Cloud and Haaska there was the Amazon Alexa Custom Skill or Emulated Hue integration if you wanted to control your HA instance via Alexa.

Since the introduction of the Amazon Alexa Smart Home Skill which makes discovering entities and controlling them so much easier the necessity for a configurable intent based skill is less, but there are cases when it’s preferred since the smart home skill doesn’t allow querying your HA instance to find out the status of a door, or the value of a sensor.

During this time HA 0.77.0 came along and introduced the excellent updated authentication system . However the documentation for the Amazon Alexa Custom Skill seems to be stuck in the past as it still references using an api_password.

I’m not one to jump on the support bus early and have done extensive research on the forums, reddit and tried to troubleshoot the issue myself, but I feel there is a piece of the puzzle I’m overlooking.

These are some of the relevant topics I came across:

1. How do I transition Alexa Component to use long-lived token rather than api_password?
2. Help with Alexa/API
3. Alexa custom (not smart home) skills

Configuration of Alexa Skill

Endpoint

• Service Endpoint Type has been set to HTTPS
• Default Region I’ve set to https://myhomeassistant.domain.com/api (this used to be https://myhomeassistant.domain.com/api/homeassistant/ which returns a 404 now).

Account Linking

• Do you allow users to create an account or link to an existing account with you? = ON
• Allow users to enable skill without account linking (Recommended). = OFF
• Security Provider Information = Auth Code Grant
• Authorization URI*: https://myhomeassistant.domain.com/auth/authorize
• Access Token URI: https://myhomeassistant.domain.com/auth/token
• Client ID*: https://alexa.amazon.co.jp/ (since I’m from AU)
• Client Secret*: random sting (since HA doesn’t check)
• Client Authentication Scheme*: Credentials in request body
• Scope: blank
• Domain List: blank
• Default Access Token Expiration Time: blank

NGINX Reverse Proxy Configuration

    location /api/websocket {
            proxy_pass http://localhaipaddress:8123/api/websocket;
            proxy_set_header Host $host;
            proxy_ssl_server_name on;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        location /api {
            proxy_pass http://localhaipaddress:8123/api;
            proxy_set_header Host $host;
            proxy_ssl_server_name on;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Alexa Defined in HA Configuration

    alexa:

Observations

I can successfully link the skill in the Alexa App and can see the refresh token in HA. The issue is Alexa keeps returning "There was a problem with the requested skills response."

When viewing the log of my reverse proxy I can see that when using my custom invocation name it hits HA but returns the following:

HTTP/1.1 405 Method Not Allowed

The question is, does anyone know what I and others are missing when trying to configure the Amazon Alexa Custom Skill with the updated authentication system?

Thanks in advance.

I really want to use the new authentication system, but just went with the legacy API password for simplicity sake. So I’ll be watching to see if you have any luck.

One question - are you using an admin account? User level accounts can’t call the API so that’s the first possibility that comes to mind.

Thanks for taking the time to respond @TarheelGrad1998. Using the api_password would be the simplest solution, but not the most ideal since it undermines the updated authentication system and believe is eventually being phased out?

Nice thought regarding the privileges of the user account calling the API, have checked and confirmed that it is indeed an administrator account.

Hopefully this thread can set the record straight on the right way to configure everything.

Totally agree, api_password is a bad solution for many reasons.

When I get time I’ll try to do my setup using the new authentication and see if I have any luck.

No worries, please post any progress you make when you can. Maybe fire up another custom skill to test before ditching your working setup. Are you using any type of reverse proxy?

Good idea. No, I currently have Amazon hitting my HA API via HA Cloud (Nabu Casa).

No luck for me yet either.

One thing, I noticed your Endpoint is set to:
https://myhomeassistant.domain.com/api
But I believe it should be
https://myhomeassistant.domain.com/api/alexa
At least, that’s what my working one (using the api password) is using,

But while I can also link and see a refresh token, I get the same result (“There was a problem with the requested skills response”). When I make the request, I also get a notification in home assistant:

Login attempt or request with invalid authentication from 127.0.0.1

So I think somehow it’s not able to authenticate despite the account linking? Anyway, seems maybe a different symptom than you are getting.

Damn. I’ve tried both endpoints, both result in the same error… Unlike you I don’t receive any form of notification of the failed login attempt yet still have the skill response error from Alexa.

In your case it would seem as if that would be the case that it isn’t authenticating correctly which is strange.

Hopefully someone who knows more about this can chime in and get to the bottom of the problem.

Yes, it would be nice if an expert could chime in. Either there’s something we’re missing, or this doesn’t currently work and needs to be fixed before legacy authentication methods are removed.

I tried several permutations, and this is the best I can do. My settings all match yours save for the endpoint and client id. It appears to link the account, and when it does I see a new refresh token created. But any request through the skill results in the authentication error in home assistant.

The only other thing I can see to do at this point is to use the Alexa test utility and manually try to make an API call with the token from the log. I’ll probably try to figure that out, which will tell me if it’s a problem getting a valid token or with passing the token. Either way though it won’t mean much unless someone knows how to fix it and speaks up.

OK. So I went back and changed my endpoint to /api/alexa and am now receiving the same authentication error in HA that you’re receiving, that is consistent at least.

The account linking information is correct as per the instructions here.

Be interested to find out how you go with the token, but as you said we’re going to need a bit of input from the devs on this one.

So it appears to be getting a good auth token. Here’s what I did:

1. Go to the Test tab in the Alexa Developer Console for my skill
2. Check only the Device Log
3. Type in the Invocation Command as if I were saying it
4. When I get the normal error (“There was a problem…”) (which also gives the authentication failure in Hass), look at the log and find the session -> user -> accessToken value in the JSON
5. Place that access token in a cURL command like in the example here:
   https://developers.home-assistant.io/docs/en/auth_api.html#example-curl

I successfully got the error log returned, and no notification in home assistant. When I omit the header I get a 401, so I know it is authenticating.

So my guess is Home Assistant is not properly reading the token from the request body (since I don’t think that would be the same as the cURL example which sends it in the header).

Feels like a bug to me, so I logged one here:
https://github.com/home-assistant/home-assistant/issues/25473

Maybe that will get a response.

Thanks @TarheelGrad1998 .

I was going to do the same since this thread hasn’t attracted any input from the devs.

So…did you get anything out of that? I totally feel like it was in the same realm as another issue, so he just attributed it to that and blew it off.

Maybe the moral to the story is we need to use the AWS way to set up a skill? Pure conjecture but the only way I can interpret his comments.

I swear this community is underwhelming at times, except if you’re dealing directly with some of the add on developers who I’ve found to be very helpful. The core functionality, not so much.

Not exactly, no. I actually came across that exact issue he linked to while searching and thoroughly read through the thread but it really related to the smart_home skill using AWS Lamba.

I’d like to gain a clarification on if that is going to be the case, because the Python script linked is the ‘Smart Home Skill Adaptor’. It seems like the alexa.intent component isn’t as popular as it once was, especially with the introduction of HA Cloud.

It would be good to know where we stand as users of HA what the future for alexa.intent is.

Like all community based forums, everyone on here contributes their personal time to assist others, and the devs also have their work cut out for them making HA better for all of us. Very rarely I post a question and when I have noticed it doesn’t always attract and answer so I usually end up solving it myself. This may be down the to the fact that there are more people who need support than those who can provide it… not sure.

Let me join this conversation, just to bump this thread. This is one off big wishes I have with my instance. I’m using Hassio with Google Home and the Amazon Echo but without Nabu Casa. I’m also stuck in the auth stuff. I don’t even dare to try changing stuff because I think stuff will break. I tried it a couple of months ago when the auth stuff changed, but there but there are no good instructions how to take care of stuff.

Can anyone with some experience jump in?

I’m halfway thru moving over from emulated_hue: to the alexa smart_home skill.

I’m already using the new auth system, so if it works I’ll post back later on, otherwise assume I’ve got stuck somewhere!

Also, is there a way I can set expose_by_default to false in the alexa smart_home skill?

I’m already using expose_by_default = false for emulated_hue, and I’d rather not have 100+ devices get added to Alexa when I discover devices!

As you’re looking to use the smart_home skill the updated instructions should result in a smooth migration.

The focus seems to be on the smart_home skill and we’re trying to implement custom_intents with Alexa. Surely we’re not the only ones trying to do this and having trouble?

You can use exclude_domains and exclude_entities to select what is discovered by Alexa, read more here.

It honestly might be time to move custom intents over to Appdaemon. I doubt anyone is going to actively care about this given the smart home components for the Echo and Google Homes.

Might be right. It would be good to get a confirmation if the devs are no longer planning on supporting the alexa.intent integration and update the documentation to reflect that.

Are you thinking of this as an alternative solution?