Hi, That's a good question, thanks for asking. There is a security risk in allowing HTTP return URLs if you are using the Implicit Grant (see our Web Developer guide). A man-in-the-middle would have the ability to view Access Tokens passing between the redirect URL and the user's browser, allowing an attacker to illegitimately obtain customer profile data using those Access Tokens. If you do not have HTTPS available on your site, you can use the Authorization Code Grant to query Amazon's customer profile endpoint directly from your server. This communication will be over HTTPS and will be authorized with your client-ID and client-secret for authentication. There is sample code available on our Getting Started Guide for Web to show you how to use the Authorization Code Grant. I would also like to mention that we highly recommend that sites that will have authenticated customer sessions also have the ability to communicate over HTTPS to avoid eavesdropping attacks which may result in credentials being stolen and replayed by an attacker. All secure data, including tokens, should pass over an HTTPS connection.
Facebook, Twitter, and Google have oauth logins where no https is required from the client (only on their server). I just installed them on my CMS with two clicks. Where are you Amazon? :) Would love Amazon login, but without ssl enforced for the client :) Https is a massive deal breaker sinte it is a pain to install and also costly. Also, not as secure as many believe given the recent heartbleed incident (who knows how many exploits we are unaware of). More info