question

shaqspeare avatar image
shaqspeare asked

3rd party (server side) verification of Mobile app using LWA SDK

[On behalf of: TestLoginMobage] Hello all I am using the Amazon login SDK in an attempt to do a 3rd party (Server side) verification of the user logged into an Android app. The Android app does the LWA steps to get an OAuth token and then I need to be able to pass the OAuth token from the App to a server and verify that the user is in fact logged in with LWA to a specific app. So far, I am able to grab the access token out of the LWA SDK and pass it to the server and then call /auth/O2/tokeninfo as described here and here: https://forums.developer.amazon.com/forums/thread.jspa?messageID=9850https://sellercentral.amazon.com/forums/thread.jspa?threadID=173245&tstart=30 When the tokeninfo endpoint returns, is sends JSON like the following: .../auth/O2/tokeninfo?... { "exp": 692, "iss": "...", "aud": "amzn1.application-oa2-client.XXX", "user_id": "...", "app_id": "..", "iat": ... } The "user_id" and "app_id" fields are edited out here since I can get these values from the SDK and verify a match on the server side. The problem I am having is the "aud" field. The Amazon docs describing the web based OAuth state that this "aud" field is the same as the "client_id" string originally passed to the Federated login. The problem is, this value only seems to live in the api_key.txt Android asset file inside a JWT token. What I would like to know is how can I used the Amazon login SDK to get access to this field, so that I can pass it to the server for verification purposes. A possible workaround might be to parse the JWT token inside the api_key.txt file and grab the "clientId" value in the Android app, but that feels like a hack since the format of this token could change at any time. Is my initial assumption that the tokeninfo JSON fields "aud", "user_id", "app_id" all need to be validated correct? If so, any advice on how I can get this working with the LWA SDK? Mo DeJong DeNA
login with amazon
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
If you are just interested in whether or not the user is logged in through a specific Application, then you only need to validate app_id and user_id. If you want to validate that they are logged in through a specific client (for example, the free Android app, the paid Android app, the iOS app, or your website) then you need to validate aud as well, which as you note corresponds to the OAuth2 client ID. Could you elaborate more on your use case?
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
[On behalf of: TestLoginMobage] Yes, I will need to verify all 3 from the point of view of the server doing the verification. I need to be able to determine that the Android app compiled for the Amazon store is the source of a network connection to the third party server and that a valid Amazon user has signed into the app. Is there a method I can use to access this string via the Amazon SDK?
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
The LWA SDK does not expose the client ID. Regardless, a client-side API would not help you here, as your server would have to trust the client ID supplied from the same source as the access token. As you mentioned, it is possible to read the client ID from the API key. We do not support this, and it is possible that we may change the API key format in the future and that a future API key for a given app may contain a different client ID. However, these changes would only affect you if you update your app after we make such changes.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.