Login with Amazon (LwA) allows your customers to log in to your website or app using their Amazon credentials. LwA uses the OAuth 2.0 protocol making integration easy, and allows you to provide a more personalized user experience such as greeting visitors by name or displaying customized offers based on zip codes.
Depending on the permissions you request as part of this authentication (and what the user approves), LwA returns information you can use to connect to different Amazon APIs and obtain information about the user, perform tasks on their behalf, and/or incorporate Amazon services into your interactions with them.
When a user opts to use Login with Amazon to log into your site, you have to send them to an Amazon controlled page where they enter their email and password. This provides assurance to the user that you are not peeking at their password. When a user completes a login and approves the permissions you requested, the main browser window is redirected to a URL of your designation with information embedded in the URL.
As a developer you have two options for redirecting a user to the Amazon Login experience:
The URL the user is referred back to will be similar to:
As you can see, when you opt for the full redirect, the access token that is returned contains a URL fragment rather than a query string.
Why does that happen and how can I deal with it?
Why does Amazon return a URL fragment when the query string is obviously easier to work with? Security for your users. A URL fragment is not passed directly to your server, but only to the browser. As it turns out, this is also part of the OAuth specification.
You can then pass the data in the params array to your server however you like.
If you have any questions about Login with Amazon (LwA), please engage with us on the LwA forums. Stay tuned for more LwA posts on users and online identity.