question

shaqspeare avatar image
shaqspeare asked

Allowed Return URLs and https

[On behalf of: scopalto] Hi I ve implemented many oauth login services and it is the first HTTPS is required for the "Allowed Return URLs" ... Would it be possible de avoid this limitation ?
login with amazon
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
Hi, That's a good question, thanks for asking. There is a security risk in allowing HTTP return URLs if you are using the Implicit Grant (see our Web Developer guide). A man-in-the-middle would have the ability to view Access Tokens passing between the redirect URL and the user's browser, allowing an attacker to illegitimately obtain customer profile data using those Access Tokens. If you do not have HTTPS available on your site, you can use the Authorization Code Grant to query Amazon's customer profile endpoint directly from your server. This communication will be over HTTPS and will be authorized with your client-ID and client-secret for authentication. There is sample code available on our Getting Started Guide for Web to show you how to use the Authorization Code Grant. I would also like to mention that we highly recommend that sites that will have authenticated customer sessions also have the ability to communicate over HTTPS to avoid eavesdropping attacks which may result in credentials being stolen and replayed by an attacker. All secure data, including tokens, should pass over an HTTPS connection.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
[On behalf of: Obviously] Thank you for this. It was not obvious from the start that HTTPS is so strongly preferred.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Chityil Gy��rgy avatar image
Chityil Gy��rgy answered
Facebook, Twitter, and Google have oauth logins where no https is required from the client (only on their server). I just installed them on my CMS with two clicks. Where are you Amazon? :) Would love Amazon login, but without ssl enforced for the client :) Https is a massive deal breaker sinte it is a pain to install and also costly. Also, not as secure as many believe given the recent heartbleed incident (who knows how many exploits we are unaware of). More info https://dev.twitter.com/discussions/24239 https://developers.facebook.com/blog/post/497/
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sujoy@Amazon avatar image
Sujoy@Amazon answered
Thank you for taking time to share your valuable feedback. I will share it with internal appropriate team. Thanks.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.