Ensure seller authorizes application for correct region during OAuth flow

[jlevers]

Every region (NA/FE/EU) requires a separate set of credentials for each seller. This in itself is problematic, but given that it's the case, it should be possible to specify which region the current authentication request is for in the authorization request URL (https://sellercentral.amazon.<ext>/apps/authorize/consent?...).

When building an application that can be used across multiple regions by one seller, the seller needs to go through the authorization process multiple times (once for each region) and the developer needs to maintain a separate set of credentials for each region. The problem is, when the user gets redirected to Seller Central, they can inadvertently log into a marketplace in the wrong region, and thus they will end up generating credentials for a different region than the developer intended them to when the seller was redirected to Amazon for authorization.

For example, say I have a seller that wants to use my application in the NA and FE regions. I create two buttons: one for authorizing my application in NA, and one for authorizing in FE. When the seller clicks the NA button, I redirect them to the consent page with a callback URL https://callback.com/receiveCredentials/NA, so that I can track which region the credentials are for when the seller gets redirected after the consent page. But if the seller isn't logged into Seller Central yet, they'll end up on this page:

They can then select any marketplace that they're participating in. If they select Japan, for example, I'll end up with credentials that are valid only in the FE region, even though I redirected them to the consent page thinking I would be getting back credentials that are valid in the NA region. There's no way for me to prevent this from happening, and there's no way for me to detect it when it does happen.

The most basic solution to this problem would be to have the post-authorization callback include a URL param that told me which country/marketplace the credentials were for. That would sort of solve the problem, although there would still be the issue that the seller would think they're authorizing one region and end up authorizing another.

The proper solution would be to allow developers to redirect sellers to log into particular regions/marketplaces, so that the credentials would consistently be valid in a particular region.

@ShivikaK @parvathm I would appreciate your support here.

[kpconnell]

@jlevers first, thanks for the PHP library, it is awesome, I use it every day for one of my clients.

For the OAUTH flow, you have to send the user to each region's seller central url in the first place, and you have to pass unique state info for each of these... Your state value should absolutely tell you which region the callback is coming from. Further, marketplace is not part of the Oauth flow, ONLY region is.

This the flow I use: Give seller a unique link to auth a particular region. That link in your web app generates state that associates their "customer" and the region you are sending them to. Redirect them to that seller central Seller central redirects user back with state info from above and you call the token api and stash all that stuff including what region you originally sent them to.

Marketplace specifics are the the intersection of participation and their user preferences.

Hope this helps.

[jlevers]

@kpconnell glad you're finding my library helpful! That's good to hear :)

Yep, I think we're on the same page with credentials being per-region (not per-marketplace), and with sending users to the correct Seller Central URL...it's just that if they're not already signed into Seller Central, if I redirect them to (for example) https://sellercentral-europe.amazon.com, they will be prompted to log in and then will see the page that I screenshotted above. At that point, they can choose any marketplace they want, so if they select United States, they'll be redirected to https://sellercentral.amazon.com and end up on the consent screen on that domain. When they click authorize and get redirected back to me, the credentials will be for NA, despite the fact that I originally sent them to an EU Seller Central URL.

[openbridge-james]

@jlevers is not wrong. The authentication process is flawed and needs work.

[vaidas-lungis]

Ran into the same case.

Maybe you have checked Amazon docs for an endpoint to get the region out of token, or do a dummy request to that marketplace? for example https://developer-docs.amazon.com/sp-api/docs/sellers-api-v1-reference Then flow could look like you get the token, and check if it is for the right region..

[jlevers]

I've been working around this problem by making a call to an endpoint in the region that the credentials should be for, and if it returns a 403, then I show the user a message telling them they authenticated in the wrong region, and prompt them to re-authenticate. Kind of a pain, but it works.

[openbridge-james]

@jlevers it'd be nice to know which endpoint you are using, could be a nice work around for us as well.

[jimmy-ross-xapix]

its also additionally difficult that within the Far East region, the JP, AU etc marketplaces actually have their own selling partner IDs so need to be authenticated once each. As opposed to EU or NA, where for example authenticating in the German Seller Central account is enough for the whole EU region.

[jlevers]

@jlevers it'd be nice to know which endpoint you are using, could be a nice work around for us as well.

Doesn't really matter which endpoint you use, but I use the getMarketplaceParticipations endpoint since you don't have to pass it any parameters.

[TkTech]

@jlevers it'd be nice to know which endpoint you are using, could be a nice work around for us as well.

Doesn't really matter which endpoint you use, but I use the getMarketplaceParticipations endpoint since you don't have to pass it any parameters.

This doesn't seem to work for hybrid applications - getMarketplaceParticipations will fail unless the correct marketplace is set. For regular SP-API apps, this works great.

[github-actions[bot]]

This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.

[github-actions[bot]]

closed for inactivity