LWA Mobile SDK Overview
To access the Dash Replenishment Service (DRS), your DRS-enabled product needs to obtain a Login with Amazon access token, which will be sent up with each request. This document explains how to obtain an access token using the Login with Amazon SDK for Android or iOS.
Before you integrate the LWA SDK into your companion app, your product must be able generate a code verifier and create a code challenge. These values along with the code challenge method are used by LWA to validate requests from your product before tokens are exchanged. The LWA implementation of symmetric proof of possession is based on Proof Key for Code Exchange by OAuth Public Clients
A code verifier is a cryptographically random string generated by your product, which is hashed (SHA256) and handed off to your companion app. The string should be between 43 and 128 characters long and composed of characters from the URL and filename-safe alphabet ([A-Z], [a-z], [0-9], “-“, “_ “, “.”, “~”).
The code verifier is sensitive data and should never be transferred from your product.
Your client/product is expected to create a code challenge derived from the code verifier using one of the following transformations of the code verifier, however, SHA-256 is recommended:
code challenge = code verifierNote: The plain transformation is for compatibility with existing deployments and for constrained environments that can’t use the S256 transformation.
Base64urlencoding of your code verifier’s SHA256 hash. The
Base64urlencoded string should not contain the following characters: “=”, “+”, or “/”.
See Proof Key for Code Exchange by OAuth Public Clients, Appendix A for detailed information on implementing
Code Challenge Method
The method used to derive the code challenge. LWA accepts both plain and SHA-256.
Platform Options for Using the LWA SDK with DRS
See one of the following for instructions on using the Login with Amazon SDK for Android or iOS with DRS.