So, one of the guidelines around doing Account Linking is: [i]Minimal Security Requirement Guidelines: (2) Skill providers must serve a login page over HTTPS[/i] Instead of diving into this and then having certification shoot me down, I want to confirm in advance that this requirement is what I think it is. When they say "login page" they are talking specifically about where the user is providing a password (or other secure data), correct? This is important to me because I'm building something where external providers handle login via OAuth, but the landing page that starts the linking flow (as well as the final "success, close this window" page) will not accept https. The external services I'm working with absolutely do https for all of their login pieces, and at no point will our servers ever handle anything resembling a password. Is this acceptable within the guidelines as currently defined?
I hate to say it, but I think the answer is no. You need to serve an HTTPS page in account linking, full stop. I doubt think it matters whether that page asks for credentials or not. But as with many things in certification, you might just have to run it up the flagpole and see. Steve
See, this is one of those cases where I'd ask the question - "why?" If it doesn't benefit anyone, why make it a requirement? I have a call with the certification team tomorrow about some other issues, maybe I'll try and see if I can piggyback this on.
Ugh, I see why it's going to require https throughout, now that I've read the docs a bit more. This flow is considerably more complicated than what I need. It was built to be able to connect directly into a standard OAuth flow, but that's not what I'm trying to do. I wish there was a more intermediate approach where I could just give a user a card that says "hey, go to this link and give me a little bit of information that I don't have yet".
Hi, Yes, the flow is significantly simpler when you are implementing your own OAuth solution. If you are using a third party solution, you essentially need to nest the two OAuth providers, since per the guidelines, you should store the OAuth token for the user on your server, instead of giving it to Amazon. We do appreciate your input, as account linking, like many other features, is still relatively new and we are always looking to improve it. If there are any updates, I'll be sure to post them on this forum. Thanks, Nick