DocumentationAdobe PassAdobe Pass Authentication

Amazon SSO Cookbook (REST API V2)

Last update: April 4, 2025
  • Topics:
  • Authentication
IMPORTANT
The content on this page is provided for information purposes only. Usage of this API requires a current license from Adobe. No unauthorized use is permitted.

The Adobe Pass Authentication REST API V2 has support for Platform Single Sign-On (SSO) for end users of client applications running on FireOS.

This document acts as an extension to the existing REST API V2 Overview that provides a high-level view and the document that describes how to implement Single sign-on using platform identity flows.

Amazon single sign-on using platform identity flows

Adobe Pass Authentication collaborates with Amazon to improve the login user experience and to facilitate Single Sign-On (SSO) across TV Everywhere applications for TV subscribers.

Prerequisites

Before proceeding with the Amazon single sign-on using platform identity flows, ensure the following prerequisites are met.

Integrate Amazon SSO SDK

The streaming application must integrate the Amazon SSO SDK library for Single Sign-On (SSO) into its build.

  • Download and copy the latest Amazon SSO SDK library into a /SSOEnabler folder parallel to the application’s directory.

  • Update the manifest and Gradle files to use the Amazon SSO SDK library.

    Manifest:

    <uses-library android:name="com.amazon.ottssotokenlib" android:required="false">

    Gradle:

    Under repositories:

    flatDir {
    dirs '../SSOEnabler'
}

    Under dependencies:

    provided fileTree(include: ['ottSSOTokenStub.jar'], dir: '../SSOEnabler')

Use Amazon SSO SDK

The streaming application must use the Amazon SSO SDK to obtain the SSO token (platform identity) payload.

The Amazon SSO SDK provides both synchronous and asynchronous APIs to obtain the SSO token (platform identity) payload.

The streaming application can choose one of the two options based on its architecture.

Asynchronous APIs

  • Get the SSOEnabler instance and set the SSOEnablerCallback:

    SSOEnabler ssoEnabler = SSOEnabler.getInstance(context);

SSOEnablerCallback ssoEnablerCallback = new SSOEnablerCallbackImpl();
ssoEnabler.setSSOTokenCallback(ssoEnablerCallback);

    This can be done during the initialisation of the streaming application.

    public static abstract class SSOEnablerCallback
{
        public abstract void getSSOTokenSuccess(Bundle result);
        public abstract void getSSOTokenFailure(Bundle result);
}

    The SSO token success response bundle will contain:

    • An SSO token as a string with key “SSOToken”.

    The SSO token failure response bundle will contain:

    • An error code as an int with key “ErrorCode”.
    • An error description as a string with key “ErrorDescription”.

  • Get the SSO token:

    Bundle getSSOTokenAsync(Void);

    This API will provide the response via callback set during the initialisation.

Synchronous APIs

  • Get the SSOEnabler instance:

    SSOEnabler ssoEnabler = SSOEnabler.getInstance(context);

  • Get the SSO token:

    Bundle getSSOTokenSync(Void);

    This API will block the caller thread and respond with the result bundle. Since this is a synchronous call, be sure to not use it in your main thread.

    void setSSOTokenTimeout(long);

    This API will set the timeout value for the synchronous call. The default timeout value is 1 minute.

Fallback for Amazon SSO

The streaming application must handle fallback scenarios from the Amazon SSO flow to the regular authentication flow.

Ensure that the streaming application is handling:

  • The absence of the Amazon companion application that should be running on the Amazon device.

    • The streaming application may encounter a ClassNotFoundException at runtime on the following class com.amazon.ottssotokenlib.SSOEnabler.

  • The absence of the SSO token (platform identity) payload that should be returned by the above APIs.

    • The streaming application may contact the Amazon and Adobe representatives to investigate.

Workflow

The Amazon SSO token (platform identity) payload needs to be present on all HTTP requests made against Adobe Pass Authentication REST API V2 endpoints:

/api/v2/*

Adobe Pass Authentication REST API V2 supports the following methods to receive the SSO token (platform identity) payload which is a device-scoped or platform-scoped identifier:

  • As a header named: Adobe-Subject-Token
IMPORTANT
For more details about Adobe-Subject-Token header, refer to the Adobe-Subject-Token documentation.

Samples

Sending as a header

GET /api/v2/{serviceProvider}/sessions HTTP/1.1
Host: sp-preprod.auth.adobe.com

Adobe-Subject-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJyb2t1IiwiaWF0IjoxNTExMzY4ODAyLCJleHAiOjE1NDI5MDQ4MDIsImF1ZCI6ImFkb2JlIiwic3ViIjoiNWZjYzMwODctYWJmZi00OGU4LWJhZTgtODQzODViZTFkMzQwIiwiZGlkIjoiY2FmZjQ1ZDAtM2NhMy00MDg3LWI2MjMtNjFkZjNhMmNlOWM4In0.JlBFhNhNCJCDXLwBjy5tt3PtPcqbMKEIGZ6sr2NA
IMPORTANT
In case the Adobe-Subject-Token header value is missing or invalid, then Adobe Pass Authentication will service the requests without taking Single Sign-On into account.
recommendation-more-help
3f5e655c-af63-48cc-9769-2b6803cc5f4b