question

modejong avatar image
modejong asked

How to do third party verification using login SDK on Android

Hello all I am attempting to use the Amazon login SDK to get access to the auth creds passed from Amazon to an Android device when logging in. http://login.amazon.com/ http://login.amazon.com/android The specific app I am running is the sample app provided along with the SDK located here: https://images-na.ssl-images-amazon.com/images/G/01/lwa/samples/SampleLoginWithAmazonAppForAndroid-src._TTH_.zip I am able to login using the example app with my Amazon username and password via the normal OAuth approach. The app user has to enter the password into the web browser on the Android device and then that bounces back to the app via the intent filter on the Android app. Good so far. Now what I want to do is be able to contact a webserver and pass the login token in a secure way so that it can be used to verify that the user logged into a specific Amazon account on the Android device really is the logged in user as opposed to some random hacker. I would like to do that by executing a 3rd party verification using the Oauth token to check that the username passed to the webserver is coming from an Android device that is logged in as a specific user via the Amazon SDK. The problem is that I now want to get access to the auth token that was delivered to the client. I know the SDK is parsing the JSON result because it returns me the already parsed fields out of the JWT like so (I have replaced the actual info with X here). This is the output printed to the screen in the example Android app in the "void onSuccess(Bundle response)" method: Bundle[ {email=XXX@XXX.com, user_id=amzn1.account.XXXX, name=Mo DeJong}] I have read over the Java docs for all the classes in the com.amazon.identity package, but I do not see any way to get access to the JWT token that these fields were parsed from. The reason I want to be able to get the token is so that I can do a 3rd party validation on a server. For example, see the section "Using Access Tokens to Read a Customer Profile" in this document: https://images-na.ssl-images-amazon.com/images/G/01/lwa/dev/docs/website-developer-guide._TTH_.pdf This document describes how a webserver could accept a JWT token from the Android client and then check that the sender really is the user who logged into Amazon on the Android device by invoking a URL like so: https://api.amazon.com/user/profile?access_token=2YotnFZFEjr1zCsicMWpAA The thing is, I want to be able to grab this "2YotnFZFEjr1zCsicMWpAA" out of the Amazon login SDK so that it is possible to pass it to the webserver in order to do a secure 3rd party validation. Both Apple and Google provide APIs that make this kind of 3rd party validation possible. https://developer.apple.com/library/ios/documentation/GameKit/Reference/GKLocalPlayer_Ref/Reference/Reference.html#//apple_ref/occ/instm/GKLocalPlayer/generateIdentityVerificationSignatureWithCompletionHandler: http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html How can I get the "access_token" or "id_token" value out of the Amazon login SDK so that I can pass it to a 3rd party webserver and verify that the user is logged in on the Android device via the OAuth protocol? thanks Mo DeJong DeNA
fire tablet
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sujoy@Amazon avatar image
Sujoy@Amazon answered
How about this? public class MainActivity extends Activity { private AmazonAuthorizationManager mAuthManager; @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); mAuthManager = new AmazonAuthorizationManager(this, Bundle.EMPTY); // Find the button with the login_with_amazon ID // and set up a click handler Button mLoginButton = (Button) findViewById(R.id.login_with_amazon); mLoginButton.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View v) { mAuthManager.authorize( new String []{"profile","postal_code"}, Bundle.EMPTY, new AuthorizeListener()); } }); } private class AuthorizeListener implements AuthorizationListener { /* Authorization was completed successfully. */ @Override public void onSuccess(Bundle response) { mAuthManager.getToken(new String []{"profile","postal_code"}, new TokenListener()); } /* There was an error during the attempt to authorize the application. */ @Override public void onError(AuthError ae) { } /* Authorization was cancelled before it could be completed. */ @Override public void onCancel(Bundle cause) { } } private class TokenListener implements APIListener { /* getToken completed successfully. */ @Override public void onSuccess(Bundle response) { [b] final String authzToken = response.getString(AuthzConstants.BUNDLE_KEY.TOKEN.val); //Got token. Send it to server[/b] } /* There was an error during the attempt to get the token. */ @Override public void onError(AuthError ae) { } } }
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

modejong avatar image
modejong answered
Sujoy, thanks for the help. I am able to access the AuthzConstants.BUNDLE_KEY.TOKEN string now. With this JWT token, I can invoke the Amazon tokeninfo REST endpoint and see that the token is valid. Thing is, I am now stuck because I am not able to query the "client_id" value that was sent as part of the OAuth signin. This "client_id" value is returned as the field "aud" in the results of the Amazon tokeninfo REST endpoint. I tried to access a bundle named "AuthzConstants.BUNDLE_KEY.CLIENT_ID.val" but that does not seem to be a valid bundle value in any of the callbacks I could find. I was able to look at api_key.txt and decode the JWT. I can see that there is a token named "clientId" which seems to be the correct value. The Amazon docs for website OAuth ( website-developer-guide._TTH_.pdf) states this about "aud":

"The client identifier used to request the access token. If this does not match the client_id used in your Authorization Request (p. 15), do not use this token."

So, it seems clear that validating the token means that that "aud" must match the "client_id" that was passed in the original auth step. Is there some way I can query this string from the SDK? If not, would I need to parse the JWT token inside the asset file api_key.txt in order to be able to send this string into the 3rd party server so that the verification will work?
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sujoy@Amazon avatar image
Sujoy@Amazon answered
Hi Modejong, Officially LWA specific queries are monitored at this moment here : https://sellercentral.amazon.com/forums/category.jspa?categoryID=23 Can you please post your query over there. Thanks.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.