Developer Console

Query strings and URL fragments in Login with Amazon responses

Greg Bulmash Oct 11, 2016
How to

Login with Amazon (LwA) allows your customers to log in to your website or app using their Amazon credentials. LwA uses the OAuth 2.0 protocol making integration easy, and allows you to provide a more personalized user experience such as greeting visitors by name or displaying customized offers based on zip codes.

Depending on the permissions you request as part of this authentication (and what the user approves), LwA returns information you can use to connect to different Amazon APIs and obtain information about the user, perform tasks on their behalf, and/or incorporate Amazon services into your interactions with them.

The JavaScript SDK for the web use case
When a user opts to use Login with Amazon to log into your site, you have to send them to an Amazon controlled page where they enter their email and password. This provides assurance to the user that you are not peeking at their password. When a user completes a login and approves the permissions you requested, the main browser window is redirected to a URL of your designation with information embedded in the URL.

There is one use case, involving the JavaScript SDK for the web and an Implicit Grant (where the "response_type" is "token"), that returns an access token with a URL fragment (#x=y) rather than a query string (?x=y). Why does this happen?

As a developer you have two options for redirecting a user to the Amazon Login experience:

  1. A pop-up window with the login form
  2. A full redirect to a page with the login form

You select this option by setting "popup" to true or false in the following snippet from our JavaScript sample code.

JavaScript sample code.

The URL the user is referred back to will be similar to:

  1. (response_type: 'token', popup: true)
  2. (response_type: 'token', popup: false)

As you can see, when you opt for the full redirect, the access token that is returned contains a URL fragment rather than a query string.

Why does that happen and how can I deal with it?

Why does Amazon return a URL fragment when the query string is obviously easier to work with? Security for your users. A URL fragment is not passed directly to your server, but only to the browser. As it turns out, this is also part of the OAuth specification.

The spec further states the developer’s web server should pass some code to the browser capable of extracting that data from the URL fragment. That may seem difficult, but here's a quick snippet of JavaScript that makes it simple:

JavaScript sample code.

You can then pass the data in the params array to your server however you like.

If you have any questions about Login with Amazon (LwA), please engage with us on the LwA forums. Stay tuned for more LwA posts on users and online identity.

Related articles