When clicking an Amazon web services login link today, I noticed some familiar URL parameters: ?openid.assoc_handle=aws&openid.return_to=...
So Amazon is internally using OpenID between its services!
A sane choice, since it enables them to have a separate login server (farm), and thus only have to store (and check) passwords once on this central place. Using a standardized protocol is also a good choice: it is known to work fine out in the internet, and there are well-tested libraries out there to utilize it.
It also follows their internal policy of making every service available via an API :
5) All service interfaces, without exception, must be designed from the ground up to be externalizable. That is to say, the team must plan and design to be able to expose the interface to developers in the outside world. No exceptions.
The split-up URL is as follows:
'https', 'host' => 'www.amazon.com', 'path' => '/ap/signin', 'query' => array ( 'openid_assoc_handle' => 'aws', 'openid_return_to' => 'https://portal.aws.amazon.com/gp/aws/developer/registration/index.html', 'openid_mode' => 'checkid_setup', 'openid_ns' => 'http://specs.openid.net/auth/2.0', 'openid_identity' => 'http://specs.openid.net/auth/2.0/identifier_select', 'openid_claimed_id' => 'http://specs.openid.net/auth/2.0/identifier_select', 'action' => '', 'disableCorpSignUp' => '', 'clientContext' => '', 'marketPlaceId' => '', 'poolName' => '', 'authCookies' => '', 'pageId' => 'aws.ssop', 'siteState' => 'awscustomer', 'accountStatusPolicy' => 'P1', 'sso' => '', 'openid_pape_preferred_auth_policies' => 'MultifactorPhysical', 'openid_pape_max_auth_age' => '3600', 'openid_ns_pape' => 'http://specs.openid.net/extensions/pape/1.0', 'server' => '/ap/signin?ie=UTF8', 'accountPoolAlias' => '', 'forceMobileApp' => '0', 'forceMobileLayout' => '0', ), ) ]]>