Sorry this has taken me a while to get going but it is still on my radar, I've got an oauth2 server running now on my core and looks to be working fine and issuing out tokens and all that nice stuff. I've brought a cheap domain name in the black friday sales and linked that into my core and installed an SSL certificate as well which is also working fine however after 2 days of pulling my hair out trying to get amazon to accept and link my skill to my core it seems that amazon are extremely picky on what SSL certs they will accept from what i can see it has to come from either, digicert, versign, twane or one of the other over overpriced big players you cant use just any old cheap certificate that you can get nowadays I got mine from godaddy but i tried a trial for geotrust as well and that also wouldn't work.
To verify that it was a certificate issue I copied my code over from my core on to one of the web servers at my work which has an enhanced certificate from digicert and it linked fine so this leads me to a problem either we all have to buy a £250+ a year SSL certificate and link an amazon skill to each of our cores so that there is no concern in security or the other option I'm looking at is develop a web interface on a server with an expensive certificate and then use this as a middle man to receive the commands from amazon or any other similar service link them to a user in a DB which has that persons core IP address or domain name and then route the command to there core.
To keep this as secure as possible ill still use Oauth2 on the core to link to this intermediate site but be a little more lenient on the certificate type allowing like a selfsigned one the good thing about this as well will be that the skill I produce should be allowed to be published publicly as its linking to a single secured service and although there will be concerns maybe with a third party site holding core details by using oauth2 a user can revoke access at any point.
To test this approach I'm making the intermediate site on a server i have access to at work where I'm currently building an internal web application, This will be fine to test but it cant obviously stay there for all to connect to I cant see my manager being to impressed but if I can get this working and others find it useful then perhaps we can group fund a certificate for the linuxmce.org domain and move the page built over to this server I think people would full more secure that way as well.
But anyway just thought id give an update and let people know its not been forgotten about.