Honestly, the flow charts on https://shopify.dev/tools/app-bridge/authentication sum up the entire concept very well once you understand both the oAuth flow on Shopify with App Bridge, and the underlying principals of how JWTs work.
Not a question about JWT. They exist, are not new, and can be understood when you choose to dig in! You win there.
The problem is that recently (last 3 years or so), things have changed a lot with how Shopify works and how browsers work. Shopify has gamely tried to keep up, but it turns out the be both hard and painful since some things (browsers) are out of their control.
So this introduction to JWT could have gone smooth as butter, had the whole thing been introduced from scratch, as a thing. Instead, it was merged into the ongoing, constantly fluxing App gem, and the two do not necessarily mesh/merge well. To me, that is the main issue. I leave out and skip how this affects other projects and their individual woes with it (anything Node or Python or PHP for example).
And as a final note, it is new, and not the easiest thing in the world to comprehend and understand the App Bridge itself. Can you point out any nice deep dives into it? I have found zero, save for scrounging the code and issues. I guess my point is not being aggro to you, but to point out, that while for YOU it may all be easy and make sense, your specialization in that may prevent you from recognizing how much work it is to not only dissect the finer points of it (JWT) but also to make it servicable inside Shopify Apps, and with the constantly evolving App Bridge. Moving targets are not ideal to trick out with even the grand daddy's of authorization, so of course this issue persists.
You make out like it is a lack of desire on the community to learn JWT as the issue, which is in some part true. Over the years I myself have conferred that advice a lot, RTFM, when appropriate. I am not seeing anything yet where it is RTFM but instead, this is just complaints directed at no one in particular, because we have to adopt something that is awkward to use, and soon.
FWIW, while I think we would've been better off using something other than the myshopify.com domain as a permanent identifier, you can rely on the myshopify.com domain as a stable identifier for a shop.
Our Ruby reference implementation associates the myshopify.com domain with the Admin API token returned via OAuth. You can then use the `dest` claim in the JWT (which contains the myshopify.com domain) to lookup the correct Admin API token and use it to make requests on behalf of the shop. (This assumes that you're not using "online tokens", which are tied to a particular user, in which case you should use the `sub` claim which contains the user ID.)
@Michael_Ragalie Thank you for the clarification! I just wanted to make sure that we can use the shopify domain. Do we have a ballpark when this will be out of beta? We already have our implementation ready to roll out. This will make the experience consistent and much better for users.
We're aiming to bring it out of beta end of September/early October. First we're following up on some of the feedback from this thread and other venues to make sure this is something developers feel comfortable adopting
If it's working for you, feel free to use it in production (we have several apps doing so already, including some of our most used internal apps). Technically we reserve the right to make breaking changes until it's out of beta, but it's looking unlikely we will actually do so.
@Michael_Ragalie yeah it's pretty solid already honestly, I have it running in production with my app. The only issue I really have is you guys need to do some better documentation for app bridge in general. I wanted to know more about the new app bridge utils involving this new auth method, but I had to resort to looking in node_modules to find how how each of those new classes worked under the hood and what options I had with them. There are links to README files on the npm package but those take you to the internal repo which nobody has access to. Would be nice to at the very least have some kind of public documentation on some of these classes and other app bridge elements so we can fully understand them.
I was able to able to get this running in production as well using the info that @KisukaKiza posted on this thread along with the docs. I did end up taking the koa-shopify-auth and graphqlproxy packages and stripped them of cookie cruft, and consolidated a few things.
One of the things that would be nice to know more about is whether we can also still use a Provider after using createApp. It would be great if there was something like an app prop on the Provider where we could pass the already instantiated app. Without that it seems like the useAppBridge hook fails looking for the context.
Otherwise it seems to be working great! I've also tested on Safari, and the Safari Technology Preview and it's loading fast without issues.
Like already mentioned it would be cool to have access to the source on @shopify/app-bridge-utils.
@KisukaKiza thanks again for the great post earlier. Here it is again if anyone missed it:
Thanks for the feedback! We published some documentation on how the helpers work so you don't have to dig into node_modules to use them