[Openid-specs-ab] Login with Amazon

Nat Sakimura sakimura at gmail.com
Thu May 30 14:07:06 UTC 2013


Re-sending...

Login with Amazon started. See login.amazon.com
It is OAuth 2.0 based login mechanism.
It supports both code and implicit flow.
It is not OpenID Connect unfortunately.
It uses access token to get the customer profile to log the user in.
The customer profile has a field user_id, and RP seems to log in the user
based on it.

It looks to me that the implicit grant version is prone to token cut and
paste attack, but I have not evaluated in detail yet to see if they have
put the control in place.

You guys may want to follow this up.

Nat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130530/6500f6be/attachment-0001.html>


More information about the Openid-specs-ab mailing list