Register for LWA
Dynamically Redirect Users
After users Login with Amazon, they can only be redirected back to the static pages you specified as Allowed Return URLs when you registered your app. To instead redirect users dynamically to various different URLs after authentication, when you make the authorization request, populate the
state parameter with a value that can be used to generate the desired redirect URL
For example, if you ultimately want users redirected back to the Item Description page they were viewing prior to authentication, populate the
state parameter in your request with the unique portion of the Item Description page URL.
After authentication, Login with Amazon sends back an authorization response to the client that includes the same
state parameter value you specified in the request. The user is sent to the Allowed Return URL. Use the
state parameter value to dynamically generate the URL associated with the page you’d like the user to land on ultimately, then immediately redirect them there from the static page.
If the dynamic URL contains sensitive information, we recommend encrypting, then base64-encoding it, before assigning it to the
state parameter. When the information is returned in the authorization response, decrypt and decode it to generate the dynamic URL.
In addition, we strongly recommend to anyone using redirect authentication to protect users from cross-site request forgery attacks. Do this by assigning a unique value (a csrf token) to the
state parameter in each authentication request, and later validate it in the authentication response. Consider assigning both this unique csrf token and the redirect URL to the state parameter using concatenation. For example:
<csrf-token> + "" + <dynamic-url>
For more information on creating a csrf token, see Cross-site Request Forgery.