The Login with Amazon authorization service offers two authorization grants that your website or mobile app can use to authenticate users and access their customer profile . These two grants are the Implicit Grant and the Authorization Code Grant.
The following grant descriptions are in terms of HTTP requests and responses. The mobile SDKs wrap these calls in their own methods and callbacks; however, the overall flow is the same.
Authorization Code Grant
In the Authorization Code Grant, a user clicks on a link (or presses a button) (A) that directs them to an Amazon login page. After they login, they are asked to grant an app access to specific profile data (B) and are redirected back to the app. An authorization code is embedded directly in the redirection URI as a query parameter (C). (This is the authorization code grant). The user-agent executes the URI, including the query parameters. (At this point, the user sees they are logged in to the app and continues normally.)
The query parameters are processed directly by the app, and the app uses the authorization code to request an access token directly from the authorization service (D). The authorization code must be paired with a client identifier and client secret , known only to the app. This prevents malicious software from intercepting the authorization code and impersonating the app.
After the authorization code, client identifier, and client secret are verified, the app is granted an access token and a refresh token from the authorization service (E). They can use the access token to access the customer profile data from Amazon. When the access token expires, they can use the refresh token to gain a new access token and a new refresh token.
Implicit Grant (Deprecated)
In the Implicit Grant, a user clicks on a link (or presses a button) (A) that directs them to an Amazon login page. After they login, they are asked to grant an app access to specific profile data (B) and are redirected back to the app.
If the user is granted access, an access token is embedded directly in the redirection URI as a URI fragment (C). (This is the implicit grant ). The URI fragments, including the access token, are stripped from the redirection URI by the user-agent (the web browser) and the user-agent executes the URI (D). (At this point, the user sees they are logged in to the client and continues using the app normally.)