Impersonating a Resource Owner in Implicit Flow
Websites using the Implicit Grant receive an access token from the Login with Amazon authorization service passively through a redirect URL . If an attacker can entice a user into logging in to a malicious site, the attacker's site will receive a legitimate access token. The attacker can then pass that access token to the redirect URL on another site to make it appear that the user is trying to login to the site.
Clients using the implicit flow can guard against this attack by verifying that an access token is legitimate before using it to retrieve a customer profile and complete login. Login with Amazon provides an endpoint specifically for verifying access tokens. Clients should use that endpoint to compare their client identifier to the client identifier that originally requested the access token. If the client identifiers do not match, the login request should be rejected.
For more information, see Verifying Access Tokens.