question

shaqspeare avatar image
shaqspeare asked

For code based authorization, why isn't the code string signed by Amazon?

[On behalf of: DejasPer] If my server receives a GET request to my return url passing along a code parameter, it would be nice to check that the code string is signed by Amazon. Since it is not, I have to call Amazon to get the auth token (and in essence validate the code). If an attacker keeps calling me at my return url, I'm going to keep calling Amazon with bad codes and looks malicious. How do I defend against this? I would expect the code value to be signed. For future readers, the optional state parameter can help with this. It is a little more work on the application side (I think signing the code parameter is preferable), but it can help defend against this case.
login with amazon
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

shaqspeare avatar image
shaqspeare answered
Hi, Thank you for your feedback. As a general rule, we don't comment on the future direction of the service. Nic
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.