question

Sven Baeck asked Nov 30, '15

Question: Howto identify requester in Authorization Code Grant

I'm creating an application using the Amazon Cloud Drive REST API. I implemented login via the "Authorization Code Grant" method. Essentially login works, but I'm still facing the following problem: The user gets redirected to the Amazon login pages first ( https://www.amazon.com/ap/oa). When logging in a redirect to my webserver is returned. The HTTP request sent to my webserver passes the code and scope. The request however does not contain any identification about the user. Is there a method to have e.g. parameters passed in the redirect_uri? Or some other way to add an identifier in the call to https://www.amazon.com/ap/oa that is later on passed back to my webserver. I need to link the answer (code sent to my webserver) to the original request. Thanks a lot, Sven.

amazon drive

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sven Baeck answered Dec 8, '15

Answering my own question after some further investigation. The solution is described in : https://images-na.ssl-images-amazon.com/images/G/01/lwa/dev/docs/website-developer-guide._TTH_.pdf. An additional request parameter can be added to the authorization code grand call URL (state). This value is then passed as parameter in the redirect_uri call.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Jamie Grossman answered Dec 11, '15

Glad you were able to resolve this!

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sandeep S. answered Dec 15, '15

Hi Sven - can you elaborate on the parameter - I added 'profile' in the Authorization Code Grant request and seemed to return only the tokens, etc. Is there a separate call needed?

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sandeep S. answered Dec 16, '15

Answering my own question in case anyone else is wondering: Added "profile" as an additional scope parameter (as in "clouddrive:read_all clouddrive:write profile" in the login call) and subsequently used " https://api.amazon.com/user/profile" to get the profile info.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sven Baeck answered Dec 21, '15

Hi Sandeep, In my case, the webserver processing the redirected call after login, is running in a different thread than the one from which I started logging in. Hence I needed a mechanism to know from my local webserver to know which thread/object had initiated the login. Using the request parameter "state" you can pass in the initial request. This same data gets sent back to the redirect url and thus allows linking the original requester to the callback. Adding the scope profile indeed allows querying the user profile to actually get user account info. Regards, Sven.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sven Baeck answered Dec 21, '15

Hello Jamie, I believe it would be good if the Cloud Drive API documentation could include documentation on the "state" request parameter, since this one is fundamental for multi-user applications (e.g. web-based apps). On top of that adding a link to the document I referenced would allow finding more details on the login and security. Regards, Sven.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Levon@Amazon answered Dec 23, '15

Hi Sven, Thank you for posting. We appreciate your feedback -- and I have relayed your request to the Cloud Drive team. Cheers, Levon

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.