The OAuth2 specification provides for a "state" parameter in the Redirect URI to allow, for example, CSRF protection. For example, see RFC6749, Section 4.1.1 at https://tools.ietf.org/html/rfc6749#section-4.1.1 . The server then sends back the same state parameter, as indicated in the following section of RFC6749.
That RFC indicates that, with respect to the "state" parameter:
The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.
That is how it works with other OAUTH2 providers, such as Google-oauth2, Facebook, and Github. All of those require a whitelisted Redirect URI, and they work without including the query string containing the "state" parameter in the Redirect URI provided in the configuration.
However, using Login with Amazon, the documentation states that the Redirect URI must include the query string, which is impossible because the state parameter is necessarily different with each call. Specifying the Redirect URI without the state parameter or with a blank state parameter results in an "The redirect URI you provided has not been whitelisted" error.
All of the example Redirect URIs in your documentation state that the query string must be included, but none of them provide an example of actually including the query string in the Redirect URI.
Can you tell me what I should set in the Redirect URI to indicate that the state parameter will be present and will vary with each call? How is the query string specified in the Redirect URI? Thanks!