App installation works, but fails to get an auth token

Solved
Highlighted
Shopify Staff
Shopify Staff
76 8 11

Hey @jasoncarousel!

Have you setup the callback URL in the Partner Dash for the app? You'll also need to verify the hmac signature during the redirect/upon installation confirmation.

Further reading on Authenticating with OAuth here and, for a private app, here. Also, although this tutorial for setting up a private app uses Node.js/React, it illustrates the process with screenshots as well.

Hope that helps!

Callum | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 

0 Likes
Highlighted
Excursionist
16 2 2

Hi @CalD! Thanks for the reply. We have actually successfully set up a separate private app before. The issue we are currently having is with a custom app. Since you mention a private app tutorial, I just want to make sure that your advice also applies to a custom app before we start trying to implement it.

0 Likes
Highlighted
Shopify Staff
Shopify Staff
76 8 11

The first link does cover both private and custom apps. The specific step that might be missing from Step 2: Ask for permission is:

{redirect_uri}: The URL to which a user is redirected after authorizing the client. The complete URL specified here must be added to your app as an allowed redirection URL, as defined in the Partner Dashboard.

Also, if you run into further trouble, any extra info you can provide from the oauth requests (x-request-id response header etc) might help narrow down the cause.

Callum | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 

0 Likes
Highlighted
Excursionist
16 2 2

Thanks for confirming @CalD. Yes, we have set up URL provided in the redirect_url parameter as an allowed redirect URL in the app setup of partner admin. Here is a screenshot of our admin screen for the app (editing out the domain since this is a public post):

App setup in partner adminApp setup in partner admin

And here is what we are sending in the querystring (editing out the same domain, so the omitted bits are identical):

The query string in codeThe query string in code

So if we understand how the redirect_url parameter is supposed to be set up, then we think we have set it up correctly.

We can definitely provide anything about the request you would like, assuming it can be pulled out of the C# WebClient class. That could be a lot of info, though, so we'll pull some of what you mentioned together into another, separate reply on this thread, and you can request anything else that might be helpful.

0 Likes
Highlighted
Excursionist
16 2 2

Hello again @CalD,

Here is the full request and full response when we try to call the auth_token API. I redacted some of the information that we knew was sensitive, but if anything else here is sensitive unbeknownst to us, please let us know.

// HTTP Request made at 9/30/2020 3:59:53 PM EDT

Request Endpoint: https://REDACTED.myshopify.com/admin/oauth/access_token
Request Method: POST
Request Version: 1.1
Request Header 'Request-Id': |820de580-42d724eaf828bb55.1.
Request Body: {"client_id":"REDACTED","client_secret":"REDACTED","code":"REDACTED"}

Response Status: BadRequest
Response Version: 1.1
Response Reason Phrase: Bad Request
Response Header 'Date': Wed, 30 Sep 2020 19:59:53 GMT
Response Header 'Transfer-Encoding': chunked
Response Header 'Connection': keep-alive
Response Header 'Set-Cookie': REDACTED
Response Header 'X-Sorting-Hat-PodId': 148
Response Header 'X-Sorting-Hat-ShopId': 48442081429
Response Header 'Referrer-Policy': origin-when-cross-origin
Response Header 'X-Frame-Options': DENY
Response Header 'X-ShopId': 48442081429
Response Header 'X-ShardId': 148
Response Header 'Cache-Control': no-store, no-cache
Response Header 'Strict-Transport-Security': max-age=7889238
Response Header 'X-Request-ID': 9a65d19e-3b39-4f53-b868-4bed9752821f
Response Header 'X-Shopify-Stage': production
Response Header 'Content-Security-Policy': default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.us.shopifycs.com https://js-agent.newrelic.com https://bam.nr-data.net https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com https://widget.intercom.io https://js.intercomcdn.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=access_token&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Foauth&source%5Bsection%5D=admin&source%5Buuid%5D=9a65d19e-3b39-4f53-b868-4bed9752821f
Response Header 'X-Content-Type-Options': nosniff
Response Header 'X-Download-Options': noopen
Response Header 'X-Permitted-Cross-Domain-Policies': none
Response Header 'X-XSS-Protection': 1; mode=block; report=/xss-report?source%5Baction%5D=access_token&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Foauth&source%5Bsection%5D=admin&source%5Buuid%5D=9a65d19e-3b39-4f53-b868-4bed9752821f
Response Header 'X-Dc': gcp-us-central1,gcp-us-central1
Response Header 'CF-Cache-Status': DYNAMIC
Response Header 'cf-request-id': 058232a4310000d26a070c5200000001
Response Header 'Expect-CT': max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Response Header 'Server': cloudflare
Response Header 'CF-RAY': 5db086e6bb5fd26a-DFW
Response Header 'Alt-Svc': h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
Response Body: {"client_id":"REDACTED","client_secret":"REDACTED","code":"REDACTED"}
0 Likes
Highlighted
Excursionist
16 2 2

This is an accepted solution.

@CalD Actually, we figured it out.

It turns out the original issue was that we were not getting the one-time code correctly that Shopify provides. We were reading the wrong query string variable.

We fixed that, but by that point we had changed our content request type from applicaton/json to text/plain per the user policenauts1 on this forum. We forgot to change it back.

So we finally used the correct one-time code variable name at the same time as using our original content type of applicaton/json, and we were able to successfully authenticate.

Thanks so much for the help!

1 Like