Integration between Mobile and Server application components
[On behalf of: David Smith] Hi, I'm looking to develop a mobile app which will authenticate using Login With Amazon and communicate with a backend server application. In the backend I want to ensure the client application has actually authenticated against Login With Amazon. If I set up the web and mobile components of this system as the same application is there any way that I can pass some code between the mobile and server applications (over a TLS secured connection) that would allow the server application to validate the login credentials and to allow access to the authorized data? David
[On behlaf of: David Smith] Hi Pete, I was hoping to use the mobile application flows in Android (and in future iOS) to do the authentication. Once the user has authenticated in the application I was hoping to pull some sort of identifier that could be passed to the server side of the application to identify the user and to allow the profile information to be pulled down to create or validate their account. In terms of the referenced documentation, it doesn't particularly cover what I'm looking to do as it's only really talking about using the user_id field to create a key which allows the account to be linked. This won't allow the server side of the application to pull profile information or validate that a request to create a user is actually for the user account specified (ie, how do I authenticate that the user is really who they say they are.) At this point it looks like I'll have to use the web authorization flow inside of my mobile application and tell the mobile client about it's identity in my system. David
Hi David, What you are doing is very similar to what AWS does to allow developers to expose their cloud resources to their mobile apps. You can read more about AWS Web Identity Federation to get a better understanding of their product.
http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html#CreatingWIF-summary If you are trying to authenticate mobile apps for your own resources, we recommend that you use the Access Token (that comes from the customer completing the Login with Amazon flow) as a means to validate that the request to your resource is coming from an authenticated user. After you transmit the Access Token over SSL to your server, you should call Amazon's /auth/O2/tokeninfo endpoint (documented in the Web Developer Guide) to validate that the Access Token was generated for your application, by checking that the app_id from /auth/O2/tokeninfo matches the ID of one of your known applications. You can obtain the App ID for your registered application near the top of the App Console when you have an application selected. Subsequently, you could call the /user/profile endpoint to ascertain the identity of the user making the request. We would also recommend that you cache the results of the calls to the /auth/O2/tokeninfo and /user/profile endpoints for performance reasons. Cache TTLs should be roughly the same as the exp value returned from the /auth/O2/tokeninfo request, which is the remaining valid time of the token in seconds. Please let me know if this sufficiently addresses your use case.