question

Hi, I'd like to get some clarification on a few things. 1) Which OAuth request are you making when you see the "The redirect URI you provided has not been whitelisted for your application" error? Is it the exchange from an authorization code to an access token? When you say that the screen allows http:// addresses, are you referring to the Login with Amazon App Console? 2) 127.0.0.1 can be used in place of localhost. Will entering https://127.0.0.1/signin work for you? 3) We don't support wildcards in redirect URIs. However, I will discuss with the engineering team about allowing dynamic parameters in the given redirect URI. I'll provide an update when we make progress on the discussion. In the meantime, can you provide us an example redirect URI and help us understand what the purpose of these dynamic parameters are? If you are uncomfortable with providing any sensitive information, you may email us directly at lwa-support@amazon.com

[On behalf of: Maarten88] 1) I am doing response_type=token (implicit grant) Yes, i'm referring to the App Console ( https://sellercentral.amazon.com/gp/homepage.html) 2) Didn't know that; it would have made it easier. By now I set everything up with mysite.local.net as the url. Still I think it would be nice if you just allowed localhost. Other providers I used have no problem with that. 3) At the very least, you should be able to pass an encoded ReturnUrl in the reply address and receive it back, so that the user can be redirected back to the page were she clicked Login. DotNetOpenAuth also adds a parameter containing a session id and provider. The complete request url it creates is this: https://www.amazon.com/ap/oa?client_id=my id&redirect_uri=https%3A%2F% 2Fmysite.local.net%3A44304%2FAccount%2FExternalLoginCallback%3FReturnUrl%3D%252F%26__provider__%3Damazon%26__sid__%3D856c9d30653f4f3fb20a32253cdbd0b5&response_type=token&scope=profile Which is refused. If I pass the exact url ( https://www.amazon.com/ap/oa?client_id=my id&redirect_uri=https%3A%2F% 2Fmysite.local.net%3A44304%2FAccount%2FExternalLoginCallback) it works on the Amazon site, but authentication fails on return to my site bacause DotNetOpenAuth wants to validate the session id, but it doesn't receive it. I think Amazon should just do a String.BeginsWith() instead of String.Equals() on the allowed return url. Other OAuth providers do accept these requests.

1) In the Login with Amazon App Console, we indicate that redirect URIs are optional because you do not need to register one if you are using only the Login with Amazon SDK for JavaScript to obtain an authorization grant. We document such a scenario in the Website Getting Started Guide. 2) I agree that allowing localhost is a good thing for us to do. We will be working on allowing localhost in the near future. 3) We perform simple string comparisons on the full URIs registered with us, as specified in the OAuth2 spec under 3.1.2.3. Dynamic Configuration. One benefit to doing this is to help mitigate potential threats from open redirectors. However, I can see that this poses problems when integrating with DotNetOpenAuth. Fortunately, I believe the DotNetOpenAuth guys are already working on moving the session id from the redirect URI to the OAuth 2 state parameter: https://github.com/DotNetOpenAuth/DotNetOpenAuth/pull/248 Until then, you will have to roll your own implementation to make the authorization request to https://www.amazon.com/ap/oa by referring to the Website Developer Guide, or obtain an authorization grant using the SDK for JavaScript, referring to the example in the Website Getting Started Guide. In the meantime, I will bring up this pain with the rest of the engineering team and bring into consideration the need for documenting guidance for C# developers.

[On behalf of: Accelerated Pic...] Thanks for escalating this, Brian, the lack of C# support is definitely holding us back as well

[On behalf of: Maarten88] Brian, thank you for your answer. I understand your point. I researched working around it in DotNetOpenAuth, but that would result in either a very nasty hack around the built-in security measures of DotNetOpenAuth, or making a private build of it with a change that is not well-tested... I don't like either. I was just researching Amazon Login as an option; I'll wait until someone at Microsoft or Amazon makes it work in a straightforward way.

[On behalf of: Maarten88] I made it work after all. My code is here ( https://gist.github.com/Maarten88/5761358) and I blogged about it here: http://www.macaw.nl/weblog/2013/6/adding-amazon-login-to-an-asp-net-mvc-website-with-simplemembership