[On behalf of: Maarten88] I am trying to implement Amazon login on an
ASP.NET site using DotNetOpenAuth and have several problems with the allowed return urls. 1. The screen says the Return Urls setting is optional (which seems unsecure), but i keep getting "The redirect URI you provided has not been whitelisted for your application" error when this is left empty. The screen also allows entering http:// addresses, which do not work. 2. It is very picky with the url. I cannot use an address like https://localhost/signin, or
https://mysite.local/signin for development and testing, it has to be a "real" address like
https://mysite.local.net/signin. This is annoying during development, having to make an alias for a real address in hosts. 3. It seems that it only works with an exact match on the reply address. The OAuth framework I use puts dynamic parameters in the return url and validates those on return. I cant get this to work, it keeps giving the "The redirect URI you provided has not been whitelisted for your application" error. Why doesn't it just match the Return Url against the first part of the parameter it receives? Is there a way to specify a wildcard in the return url setting?
Hi, I'd like to get some clarification on a few things. 1) Which OAuth request are you making when you see the "The redirect URI you provided has not been whitelisted for your application" error? Is it the exchange from an authorization code to an access token? When you say that the screen allows http:// addresses, are you referring to the Login with Amazon App Console? 2) 127.0.0.1 can be used in place of localhost. Will entering https://127.0.0.1/signin work for you? 3) We don't support wildcards in redirect URIs. However, I will discuss with the engineering team about allowing dynamic parameters in the given redirect URI. I'll provide an update when we make progress on the discussion. In the meantime, can you provide us an example redirect URI and help us understand what the purpose of these dynamic parameters are? If you are uncomfortable with providing any sensitive information, you may email us directly at
[On behalf of: Maarten88] 1) I am doing response_type=token (implicit grant) Yes, i'm referring to the App Console (
https://sellercentral.amazon.com/gp/homepage.html) 2) Didn't know that; it would have made it easier. By now I set everything up with
mysite.local.net as the url. Still I think it would be nice if you just allowed localhost. Other providers I used have no problem with that. 3) At the very least, you should be able to pass an encoded ReturnUrl in the reply address and receive it back, so that the user can be redirected back to the page were she clicked Login. DotNetOpenAuth also adds a parameter containing a session id and provider. The complete request url it creates is this:
2Fmysite.local.net%3A44304%2FAccount%2FExternalLoginCallback%3FReturnUrl%3D%252F%26__provider__%3Damazon%26__sid__%3D856c9d30653f4f3fb20a32253cdbd0b5&response_type=token&scope=profile Which is refused. If I pass the exact url (
2Fmysite.local.net%3A44304%2FAccount%2FExternalLoginCallback) it works on the Amazon site, but authentication fails on return to my site bacause DotNetOpenAuth wants to validate the session id, but it doesn't receive it. I think Amazon should just do a String.BeginsWith() instead of String.Equals() on the allowed return url. Other OAuth providers do accept these requests.
https://github.com/DotNetOpenAuth/DotNetOpenAuth/pull/248 Until then, you will have to roll your own implementation to make the authorization request to
[On behalf of: Maarten88] Brian, thank you for your answer. I understand your point. I researched working around it in DotNetOpenAuth, but that would result in either a very nasty hack around the built-in security measures of DotNetOpenAuth, or making a private build of it with a change that is not well-tested... I don't like either. I was just researching Amazon Login as an option; I'll wait until someone at Microsoft or Amazon makes it work in a straightforward way.