federation can be achieved between Amazon and Facebook and Google identities for a single Web user sign-on.
All three use the same OAuth 2.0 protocol to authenticate a Web application, and federating identities of the three Web giants means 200 million active Amazon users will be able to reach any of the three service providers with just their Amazon user name and password. Likewise, Facebook and Google users will be able to reach additional services through just one of their existing passwords.
Developers are eager to find such a reach-extending mechanism for their mobile applications. The service is available to mobile Apple iOS and Android applications and Web-based applications. They're more likely to find regular users if newcomers can use a frequently used password instead of having to register and remember a new password. The AWS Developer Center makes it simple for developers to add a button for the log-in to their application. The button triggers use of the federated directory.
[ Want to learn more about federated directories in the cloud? See Cloud Identity Problems Solved By Federating Directories. ]
In a blog entry posted Tuesday, Jeff Wierer, principal product manager for AWS identity and access management, said developers may easily incorporate an Amazon log-in button into their mobile or Web applications. A user sign-on triggers a call for the user's profile, his name, email address and zip code, if the user has consented to the use of that information.
"Web identity federation enables your users to sign in to your app using their Amazon.com, Facebook, or Google identity and authorize them to seamlessly access AWS resources that are managed under your AWS account," wrote Wierer in his May 28 blog.
Amazon.com possesses credit card information on its customers as well as names and email addresses, but that information is not shared. A developer asked AWS Wednesday on a forum if he could use the Amazon log-in process to obtain information on a user's recent purchases via his Kindle tablet. Such information would reveal a customer's interests and be a boon to personalized marketing by content providers, he wrote. No Amazon spokesman had responded to his query as of this writing but such information isn't listed as available with the initiation of the service. As the holder of both Kindle and credit card purchase information, Amazon is in a potentially powerful position to supply user profiles on top of the bare-bones profile information currently available to application developers. As of Wednesday, user consent is needed for any profile information to be provided. In the future, as the manager of the log-in process, Amazon would be in a strong position from which to dispense additional information, if allowed or if it chose to do so.
Part of Amazon's argument to developers to adopt its federated log-in button is that it will allow them to build more personalized applications, and spend less time worrying about the fundamental operations of the app.
The use of Amazon single sign-on also gives AWS the means to authorize Google and Facebook users to use AWS resources. The user of a developer's registered application receives a security token through the log-on, which lets the user access S3 to store a picture or retrieve a shared file, or access DynamoDB to analyze data. Such services would allow developers to produce richer applications that make use of AWS resources, without users needing to access them separately.