Our app has been rejected twice for the following reason:
Use OAuth to ask for scope permissions immediately after someone adds your app. Refer to our guide on authentication on install and review this example of what the required installation flow looks like.
We would love to get a more detailed explanation because we believe our OAuth flow is following the correct procedure.
You can watch this video and it will show you what our current OAuth flow looks like.
Any help is appreciated!
Solved! Go to the solution
This is an accepted solution.
Maybe their issue is with your loading screen that shows before they are taken to Shopify's OAuth screen? Perhaps try remove that so it just redirects immediately.
When I've been already logged into my Partners page, I've never had Shopify ask me to select my account when I click test on development store - is that a page you inserted?
Please take a video where we can see the URL in the browser window as well, and also please describe in detailed steps what happens when someone hits your app (in terms of the logic and redirects)
@policenauts Thanks for the response. The selection of an account was done by Shopify. It does not normally happen.
Here is an updated video that shows the changes we made. The loading screen is no longer used.
1. Shopify store clicks install within Shopify App Store.
2. Shopify makes a GET request to our backend and we redirect directly to the Shopify OAuth page.
3. Store installs app and is redirected to our app's front end.
I think that looks good now without the spinning page (as the other poster said) and you shouldn't get that same rejection notice now. I'm not sure about the rules for immediately confronting a user with another login page, but I'm guessing that's not uncommon. You should be able to resubmit and it will go through the automated test within the first 15 minutes so you can find out pretty quickly if you succeeded.
Also for your GET request, you're not just checking for presence of an access token in your database, but actually hitting something like the 'shop' endpoint to confirm it's valid, right? When a shop uninstalls your app their access token is immediately revoked (which is helpful for when the bot uninstalls and reinstalls your app).
Is your app free? If not, did you implement the billing API?
That is good to hear.
Our main issue is that the normal route to install our app is through our application itself (i.e. A user would already be logged in to do it). We are keeping our app as unlisted. With that in mind, if someone did install the app from the app store link, they would just need to login or register and their Shopify account would be automatically added.
As far as the initial GET request made by shopify, all that our backend is currently doing is building the redirect link and sending the user to the install page. There is very little logic in that step. After they install (or update), they are then redirected to our app which makes an API call to the backend. During that API call, we check to make sure the access token is valid and handle all business logic. Based on our testing, uninstalling and reinstalling should not be a problem.
Our app is technically free to use but there are paid options that offer more features. Those paid options are done through Stripe (Shopify is just one of many integrations we offer). I want to get a bit further in the review process to see if this will be a problem. We want to stay away from having to write a completely new billing system just for Shopify since our app is not just a Shopify app.
Thanks again for your help!
Great, good luck! There shouldn't be any issues with the normal route to install your app so long as it also works when you click "test on development store" (which it looks like it does).
If they give you grief about it the billing API is actually pretty easy overall to implement, I was able to do it in an afternoon. Just make sure you use GraphQL instead of REST / Admin API.
I was wondering what did you end up doing, because I have a similiar situation where the app requires a login into our own website before the install.
Did you manage to get the review approved after making the login to your own website after the the Shopify OAuth flow as shown in the updated video you posted ?