Enabling a redirect authentication
In some cases – for example when your buyers are using a mobile device – you will want to redirect buyers to the Amazon authentication page within the same window rather than presenting the buyer with a pop-up window.
In this section
- Procedure The changes you need to make to your website to enable a redirect authentication
- Cross-site request forgery How to prevent attackers from using a buyer's web browser to perform unwanted actions once the buyer is authenticated
- When a buyer denies consent How to handle cases when the buyer declines to grant you access to their Amazon Pay profile information during authentication
Procedure
The changes you need to make to your website to enable redirect authentication are:
- Set the popup parameter to false in the button widget.
- Check that you have added the return URLs in the Allowed Return URLs field in Seller Central. Also add the domain name to the Allowed JavaScript Origins field.
- Login to Seller Central and select Integration > Integration Central from the navigation bar on the top-left side
- Under the Manage client ID/store ID(s) section, click on View client ID/store ID(s)
- Choose your Amazon Pay application from the App or store name dropdown, and click Edit on the right hand side to add/edit your URLs
- Click Save changes when done
- On the webpage that you want to redirect users back to, you must add JavaScript code in your <header> section to retrieve the access token that is required by the widgets. For more information, see Access tokens.
The sample code below shows JavaScript code for retrieving the access token. Note: If you use localhost for testing Amazon Pay, remove the ";secure" flag from the cookie.<script type='text/javascript'> function getURLParameter(name, source) { return decodeURIComponent((new RegExp('[?|&|#]' + name + '=' + '([^&]+?)(&|#|;|$)').exec(source) || [,""])[1].replace(/\+/g, '%20')) || null; } var accessToken = getURLParameter("access_token", location.hash); if (typeof accessToken === 'string' && accessToken.match(/^Atza/)) { document.cookie = "amazon_Login_accessToken=" + accessToken + ";secure"; } window.onAmazonLoginReady = function () { amazon.Login.setClientId('amzn1.application-oa2- client.d607ddd4957c44019e73086bc7cSAMPLE'); amazon.Login.setUseCookie(true); }; </script> <script src='https://static-na.payments-amazon.com/OffAmazonPayments/us/ sandbox/js/Widgets.js?sellerId=YOUR_SELLER_ID'> </script> - Delete the widget cookie. When you use the Amazon Pay JavaScript SDK and you can call the amazon.Login.logout method to delete any cached tokens. If you are using redirect authentication, you should also delete the cookie used by the AddressBook and Wallet widgets to ensure that subsequent calls to amazon.Login.authorize presents the login screen by default.
The following code sample from the Amazon Pay JavaScript SDK uses the amazon.Login.logout method to delete cached tokens.
<script type="text/javascript"> document.getElementById('Logout').onclick = function() { amazon.Login.logout(); document.cookie = "amazon_Login_accessToken=; expires=Thu, 01 Jan 1970 00:00:00 GMT"; window.location = 'REDIRECT_URL'; }; </script>
Cross-site request forgery
Cross-site request forgery happens when an attacker tricks a user into clicking a malicious link where the link goes to a site where the user is authenticated. Any commands embedded in the malicious link might be executed automatically because the user is already authenticated on the site so the user does not see a login screen or any other evidence of malicious activity. In the case of Login with Amazon, cross-site request forgery could be used to mimic a client or an authentication server.
When a client registers for Login with Amazon, they are assigned a client identifier (client_id) and a client secret (client_secret). The client verifies their identity using the client_id and client_secret parameters in access token requests (these values would have to be forged by an attacker).
Login with Amazon also uses the State parameter to prevent cross-site request forgery. The client sets the value of the State parameter when it initiates an authorization request. Unlike the client_id and client_secret values, the State value can and should be different for each authorization request. The authorization server returns the same value when communicating with the client to deliver authorization codes and access tokens. If the State parameter doesn't match the value from the initial call, the communication should be ignored. For more information about the state parameter and its use, see Cross-site request forgery in the Login with Amazon documentation.
When a buyer denies consent
The first time a buyer signs in and is authenticated on your website, they must give their consent to share their Amazon Pay profile information with you. If a buyer clicks the Cancel button on the consent screen during a redirect authentication and denies you consent, Amazon Pay forwards the buyer to the redirect URL, but instead of passing back an AccessToken, an error description is returned.
Note that an AccessToken is returned in the URL fragment, where an error description is returned via a query string. Before rendering the redirect URL, you need to check for a query string with an error description and, if found, redirect the buyer to the page where the login process was initiated.
The following example shows a URL fragment where the buyer gave their consent to share their Amazon Pay profile information with you.
https://www.sample-store.com/amazonReturn.html#access_token=Atza%7CIQEBLjAsAhQWkVKdr_uRdbW7QpkRY8LIxgQIUczBscZcklUALuEd651Nd1_ulkU8WiXq7ZmzcAlp9lZ6Vf_pwaAGL1eVBVKx2x74TmQJkdZiaMdVOT99M34V3HvWOtPgWOxUqIgcgBoJ4R1LenaOIg9ZMyU_YO0Ma4Xvsqg7R5fTozyZaVVv5PwGNRhrQq32RFU7x4Jr6riKsR1AWFoSW3i1arpDCmbF_P3CgVf5X7Y3Dmdkci7JTestAccessToken&token_type=bearer&expires_in=3600&scope=profile+payments%3Awidget
The following example shows an error description returned in the query string when a buyer declines to share their profile information with you.
https://www.sample-store.com/amazonReturn.html?error_description=Access+not+permitted.&error=access_denied