Seller Central
Seller Forums

Amazon Seller Forums » Login With Amazon » Questions about Login With Amazon

Thread: access_token sent only as a hash parameter to the callback url
Thread Archived This thread has been archived - replies are not allowed.

Permlink Replies: 1 - Pages: 1 - Last Post: 03 Mar, 2017 3:58 PM by: Yancheng G. (LWA)

Posts: 3
Registered: 31 Jan, 13 4:27 AM
Posted on: 21 Feb, 2017 7:52 PM
Click to report abuse...
It might be nice to mention on the tutorial, for instance:

it mentions the "popup true doesn't work in iOS" in passing, however, what it doesn't seem to really mention in the accompanying docu is that if you set popup true it returns the parameters as fragments (i.e. like #access_token= instead of &access_token= which makes the rest of the tutorial moot).
Got me today anyway FWIW.

Yancheng G. (LWA)

Posts: 26
Registered: 17 Jun, 14 4:37 PM
Posted on: 03 Mar, 2017 3:58 PM   in response to: rogerdpack in response to: rogerdpack
Click to report abuse...

Thanks for sharing the problem I hope it has been resolved by now. Here is some additional information that might help further understands the overall function of Login with Amazon SDK for Javascript.

Whether an access token (authorization grant) is returned in fragment or query string is not fully determined by the popup setting. According to OAuth 2.0 spec, access token must be returned as fragment in the authorize response, and this is how LWA SDK for Javascript is implemented as well. The reason why you saw the access_token in URL query strings might be that you were using popup flow and have specified an URL as callback to the authorize() call. For example, if you make following call to authorize() API:
options = true;
amazon.Login.authorize(options, 'https://<your-website-domain>/lwa/response');

When the user signed in on Amazon Login page and the popup window was closed, LWA SDK receives the authorize response and redirect current window to the URL you specified above with response parameters included in query string parameters. If you do not specify the callback as an URL or use the redirect flow instead, you will find the access_token included as fragment in the authorize response.

For more information regarding popup vs. redirect flow, and different kinds of response types, feel free to refer to Login with Amazon SDK for Javascript Reference: