Merci de votre visite. Cette page est disponible en anglais uniquement.

Requesting Scopes as Essential/Voluntary

The authorization requests as mentioned in the Implicit Grant and Authorization Code Grant can be modified to also include the essential/voluntary override information for the requested scopes. This will govern whether the Login With Amazon's consent page will allow customers to make changes to the requested scopes before granting consent. This information is specified using the scope_data parameter in the authorization request. In the below examples we are using Implicit Grant, however this parameter should work in a similar way for Authorization Code Grant as well.

Authorization Request

To request authorization, the client (website) must redirect the user-agent (browser) to make a secure HTTP call to https://www.amazon.com/ap/oa with the following parameters:

Parameter Description
client_id REQUIRED. The client identifier . This is provided when you register your website as a client for Login with Amazon. Maximum size of 100 bytes.
scope REQUIRED. The scope of the request. Must be profile, profile:user_id, postal_code, or some combination, separated by spaces (e.g. profile%20postal_code). For more information, see Customer Profile.
scope_data OPTIONAL. URL encoded JSON blob with scope as the key and value as the essentiality for the requested scopes. See the examples below.
response_type REQUIRED. The type of response requested. Must be token for this scenario.
redirect_uri REQUIRED. The HTTPS address where the authorization service should redirect the user.
state RECOMMENDED. An opaque value used by the client to maintain state between this request and the response. The authorization service will include this value when redirecting the user back to the client. It is also used to prevent cross-site request forgery. For more information, see Cross-site Request Forgery.

For example:

https://www.amazon.com/ap/oa?client_id=foodev
&scope=profile%20postal_code
&scope_data=%7B%22profile%22%3A%7B%22essential%22%3Atrue%7D%2C%22
postal_code%22%3A%7B%22essential%22%3Afalse%7D%7D
&response_type=code
&state=208257577ll0975l93l2l59l895857093449424
&redirect_uri=https://client.example.com/auth_popup/token

Where the scope parameter is url encoded version of "profile postal_code" and scope_data is a url encoded version of "{"profile":{"essential":true}, "postal_code":{"essential":false}}" The essential property for every scope can be set to either true or false. To make an authorization request using the Login with Amazon SDK for JavaScript, you must fill out an options object, and call amazon.Login.authorize.

options = {} ;
options.scope = 'profile postal_code';
options.scope_data = {
    'profile' : {'essential': true},
    'postal_code' : {'essential': false}
};
options.response_type='code';
amazon.Login.authorize(options, function(response) {
    if ( response.error ) {
        alert('oauth error ' + response.error);
        return;
 }
<!-- Handle the response -->
});

Authorization Response

After the client (website) directs the user-agent (browser) to make an Authorization Request, the authorization service will redirect the user-agent to a URI specified by the client. If the user granted the request for access, that URI will contain an access_token and approved scopes as a URI fragment. For example:

Parameter Description
access_token The access token for the user account. Maximum size of 2048 bytes.
token_type The type of token returned. Should be bearer.
expires_in The number of seconds before the access token becomes invalid.
refresh_token A refresh token that can be used to request a new access token. Maximum size of 2048 bytes.
scope REQUIRED. The scope of the request.
state RECOMMENDED. An opaque value used by the client to maintain state between this request and the response. The authorization service will include this value when redirecting the user back to the client. It is also used to prevent cross-site request forgery.

Errors can be handled in the same way as mentioned in Implicit Grant section.