3rd party authentication in mobile apps
Authentication via 3rd party SDK’s and libraries is quite common in mobile commerce applications. The main reason for this is to reduce number of forms and text fields mobile application user has to fill in before finally purchasing the item inside mobile application.
Statistically, chances are that your mobile application user already has existing accounts on the most popular social network apps, social shopping or eCommerce portals. What many of these 3rd party authentication libraries provide is the possibility for your application user to authenticate with the credentials from that ecosystem and stay loged in for specific time frame. All this process is completely hidden away from the mobile application its running in. This way the privacy of user credentials is kept secure.
Actual log in flow in most cases is handled by 3rd party mobile libraries supplied by the ecosystem itself and is performed either in app or in external mobile browser (Facebook, LinkedIn, Twitter and many other popular social destinations do provide such libraries). OAuth authorization framework is both – most popular method for enabling such authentications and is recognized as a technology standard.
What your mobile application gets back is verified user details (or scope) from the library provider. In most cases its registered user name, surname and email but as we will see later in this review some libraries do provide more information to application owner (if user agrees) and can be especially useful for designing checkout flows and creating simple mobile experiences in mobile commerce apps.
In this technical review I want to demonstrate the adoption of one such 3rd party authentication library, recently introduced to mobile application developers by Amazon and called Amazon Login SDK. Just a little note, this technical review is created from the perspective of mobile developer who is implementing such authentication functionality to his mobile apps (or helping clients to update their mobile applications).
Amazon Login SDK is currently available to use in Web, iOS and Android mobile applications.
Example integration we will go through in this post will be for iOS platform native application.
Currently, the main application screens look like this
First, we have to get to iOS section for Amazon Login SDK, where we find several outlined steps to follow in order to make it work in iOS mobile applications. Let’s go through all of them.
Download and unpack the library
After downloading and unpacking Amazon Login library, we find that it has 2 versions. One
universal, built to support both actual iOS devices and development simulators. Another one
device version is build to be used only on the actual devices and is much more compact, created to be used in live applications only. We are going to use universal one for this development example and later once the application is ready to be deployed live library can be swapped with the
device version. Documentation files with the description of available methods and their use are also included in the download package.
Registering new application on Amazon
In order to use Amazon Login library you will have to register mobile application on Amazon side, provide business details users will see while authenticating and register your iOS application bundle identifier. This process requires several steps and is in detail described in the step 3 on official SDK integration page.
In my case, I already had buyers account with Amazon UK, and used it in registration process. During the application registration process they have automatically updated my account up one notch to sellers account. Apart of this registration and adding the new app was quite a smooth process and took me about 15 minutes to complete. If you are implementing Amazon Login for your client, I guess this step has to be completed by him as it needs to be his / her business details and account.
Last step in this process is to register you application bundle id and receive API keys. Again, the process was smooth. Once you get your API key, this has to be added to the main Info.plist properties file as
APIKey with string value. At this step developers are required to use this exact property name and its seems to be very generic. What if there are several sets of APi keys stored? The name should be more specific to Amazons Login SDK.
Adding the library and code
I have imported universal binary of Amazon Login library (together with supplied header files) to the XCode project and added it target Build Phases on XCode. Step 4 on Amazon SDK page outlines this procedure in detail.
Next you have to add custom url scheme for your application. This is required because Amazon Login library is built in the way that users will be redirected to do authentication to external mobile Safari browser app and redirected back to your mobile application on the success event (which I think is a drawback for such iOS authentication library, but comes with increased security for user credentials).
In the application code we have to create action for “Login with Amazon” button and few delegate classes to handle callbacks provided once Amazon Login library methods do succeed or fail. First delegate has to handle
authorizeUserForScopes method call back. There a 2 events to be handled by delegate, success and error response
- (void)requestDidSucceed:(APIResult *)apiResult - (void)requestDidFail:(APIError *)errorResponse
In the success scenario, our delegate can perform another request to the Amazon Login library
getProfile which will retrieve user details according to what we have previously requested in the scope. This method will also provide callbacks and they have to be handled by specified delegate.
Unfortunately, these callback method names are exactly the same as callback methods for previous library request which requires us to create separate delegate files and is not actually complying with the nature of method names in iOS world. They have to be self-explanatory and descriptive (like
getProfileRequestDidSuceed or similar).
getProfile succeeds your application has all the data we requested about the user.
Third method Amazon Login library gives to developers is
clearAuthorizationState and it is to be used once your application wants to log out the current user. Again, callback methods are with identical names as in previous methods and its best to create the separate delegate class to handle them.
Finally, with all 3 delegates created we can now finish the action method for “Login with Amazon” button.
NSArray *requestScopes = [NSArray arrayWithObjects:@"profile", @"postal_code", nil]; AMZNAuthorizeUserDelegate* delegate = [[AMZNAuthorizeUserDelegate alloc] initWithParentController:self]; [AIMobileLib authorizeUserForScopes:requestScopes delegate:delegate];
One thing to mention here is that
requestScopes defines the information which our app will receive back from Amazon Login library. Amazon currently supports 2 values:
profile, which contains the user’s name, email address, and Amazon account id, and
postal_code, which contains their zip/postal code. As a general rule, only request the information you actually need.
This finishes our integration steps, project should now compile and run. I have added a new custom button to the login screen and linked it to the action code posted above. You can see print screens of new login window plus the user experience while being redirected to external Safari browser for authentication with Amazon
Conclusions and Summary
The reason for this technical review and example Amazon Login integration was to understand how complex it is technically and what end user experience it provides.
Technically integration is not very hard.
Amazon does provide example code with documentation files (one would like them to have slightly more appealing design or be hosted directly on GitHub) and I found the steps on their developer portal well written. Few Apple iOS specific things are not very developer friendly, like the earlier mentioned exact same callback method names for 3 different library methods or requirement to add a very generic APIKey property to the main Info.plist property file. This can be to do with Amazon maintaining one generic design for Android and iOS libraries (most likely Android-first approach).
User experience drawback is the fact that user gets redirected to another application (Safari mobile browser) in order to do authentication and is redirected back to your mobile application if authentication is successful.
Most importantly – there is currently no way for user to navigate back to your mobile application if they decided not to login with Amazon while on external browser (check out the last print screen). There is no back button or any other method to force the user back to mobile app. This means that application user has to quit the Safari browser, find your application icon on the mobile screen again and launch it in order to get back to what they where doing.
I can hear all the comments about more security for user credentials (official mobile browser is much more secure environment then random mobile application) but companies providing such SDK’s have to design with user convenience in mind. Without the need to be redirected between 2 mobile applications.
Overall, the idea is good and having users authenticate with the trusted ecommerce portal credentials plus getting verified user details is quite beneficial for mobile commerce applications (especially if your apps user base use Amazon regularly) but there are some improvements to be made to the current version of Amazon Login SDK for iOS.