question

Hello all I am attempting to use the Amazon login SDK to get access to the auth creds passed from Amazon to an Android device when logging in. http://login.amazon.com/ http://login.amazon.com/android The specific app I am running is the sample app provided along with the SDK located here: https://images-na.ssl-images-amazon.com/images/G/01/lwa/samples/SampleLoginWithAmazonAppForAndroid-src._TTH_.zip I am able to login using the example app with my Amazon username and password via the normal OAuth approach. The app user has to enter the password into the web browser on the Android device and then that bounces back to the app via the intent filter on the Android app. Good so far. Now what I want to do is be able to contact a webserver and pass the login token in a secure way so that it can be used to verify that the user logged into a specific Amazon account on the Android device really is the logged in user as opposed to some random hacker. I would like to do that by executing a 3rd party verification using the Oauth token to check that the username passed to the webserver is coming from an Android device that is logged in as a specific user via the Amazon SDK. The problem is that I now want to get access to the auth token that was delivered to the client. I know the SDK is parsing the JSON result because it returns me the already parsed fields out of the JWT like so (I have replaced the actual info with X here). This is the output printed to the screen in the example Android app in the "void onSuccess(Bundle response)" method: Bundle[ {email=XXX@XXX.com, user_id=amzn1.account.XXXX, name=Mo DeJong}] I have read over the Java docs for all the classes in the com.amazon.identity package, but I do not see any way to get access to the JWT token that these fields were parsed from. The reason I want to be able to get the token is so that I can do a 3rd party validation on a server. For example, see the section "Using Access Tokens to Read a Customer Profile" in this document: https://images-na.ssl-images-amazon.com/images/G/01/lwa/dev/docs/website-developer-guide._TTH_.pdf This document describes how a webserver could accept a JWT token from the Android client and then check that the sender really is the user who logged into Amazon on the Android device by invoking a URL like so: https://api.amazon.com/user/profile?access_token=2YotnFZFEjr1zCsicMWpAA The thing is, I want to be able to grab this "2YotnFZFEjr1zCsicMWpAA" out of the Amazon login SDK so that it is possible to pass it to the webserver in order to do a secure 3rd party validation. Both Apple and Google provide APIs that make this kind of 3rd party validation possible. https://developer.apple.com/library/ios/documentation/GameKit/Reference/GKLocalPlayer_Ref/Reference/Reference.html#//apple_ref/occ/instm/GKLocalPlayer/generateIdentityVerificationSignatureWithCompletionHandler: http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html How can I get the "access_token" or "id_token" value out of the Amazon login SDK so that I can pass it to a 3rd party webserver and verify that the user is logged in on the Android device via the OAuth protocol? thanks Mo DeJong DeNA