question

Galactoise asked Jan 17, '16

AccountLinking HTTPS Requirement

So, one of the guidelines around doing Account Linking is: [i]Minimal Security Requirement Guidelines: (2) Skill providers must serve a login page over HTTPS[/i] Instead of diving into this and then having certification shoot me down, I want to confirm in advance that this requirement is what I think it is. When they say "login page" they are talking specifically about where the user is providing a password (or other secure data), correct? This is important to me because I'm building something where external providers handle login via OAuth, but the landing page that starts the linking flow (as well as the final "success, close this window" page) will not accept https. The external services I'm working with absolutely do https for all of their login pieces, and at no point will our servers ever handle anything resembling a password. Is this acceptable within the guidelines as currently defined?

alexa skills kit submission testing certification

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Steve A answered Jan 17, '16

I hate to say it, but I think the answer is no. You need to serve an HTTPS page in account linking, full stop. I doubt think it matters whether that page asks for credentials or not. But as with many things in certification, you might just have to run it up the flagpole and see. Steve

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise answered Jan 17, '16

See, this is one of those cases where I'd ask the question - "why?" If it doesn't benefit anyone, why make it a requirement? I have a call with the certification team tomorrow about some other issues, maybe I'll try and see if I can piggyback this on.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise answered Jan 17, '16

Ugh, I see why it's going to require https throughout, now that I've read the docs a bit more. This flow is considerably more complicated than what I need. It was built to be able to connect directly into a standard OAuth flow, but that's not what I'm trying to do. I wish there was a more intermediate approach where I could just give a user a card that says "hey, go to this link and give me a little bit of information that I don't have yet".

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Nick Gardner answered Jan 20, '16

Hi, Yes, the flow is significantly simpler when you are implementing your own OAuth solution. If you are using a third party solution, you essentially need to nest the two OAuth providers, since per the guidelines, you should store the OAuth token for the user on your server, instead of giving it to Amazon. We do appreciate your input, as account linking, like many other features, is still relatively new and we are always looking to improve it. If there are any updates, I'll be sure to post them on this forum. Thanks, Nick

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise answered Jan 21, '16

Thank, Nick. Lawrence has a longer thread ( https://forums.developer.amazon.com/forums/thread.jspa?threadID=10697&tstart=0) where a few of us talk in greater detail about possible solutions and architecture for problems of this type - I think it would be valuable if you have time to chime in there, as well, to make sure we're on the right track.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.