OAuth 2 Implicit flow

mvdb
New Member
5 0 0

Hi,

 

We are building a mobile app that will require users to login and access certain functionality that is exposed through the Storefront API. 

The Documentation on OAuth 2 support for Shopify doesn't mention anything on the Implicit flow thus if I have a mobile app that needs to communicate with the Storefront API, it would require me to store the ClientId and Secret on the device. This is an obvious security issue.

 

Do you support Auth2 Implicit flow for mobile/native apps ? If not, what are other shops currently doing to avoid storing the sensitive info on the device?

 

Thanks

Michael

0 Likes
SBD_
Shopify Staff
Shopify Staff
1044 141 185

Hey @mvdb,

 

There's no Storefront API user authentication flow. You'll use a token (which isn't secret) to access the Storefront API. More info here.

 

Depending on what you're trying to achieve, the admin API may be better suited. Alternatively, you could proxy requests from your app to a server and then access the Storefront API from there if you wanted to control who has access.

0 Likes
mvdb
New Member
5 0 0

Hey Scott,

 

Thanks for the reply. We need customers to log in with our merchant in order to see their orders etc. This is from a mobile/native app and there are some best practices that I want to follow.

 

With "Native" apps (apps where we don't control the hardware) it is not best practice to store the secret on the device, even if encrypted.  The clientId and Secret OAuth token acquisition flow is used when you can control the hardware such as a website/service. It is this token acquisition process that I am referring to. 

The implicit OAuth flow was designed for this limitation for when you can only acquire tokens based on a User's context -> thus when a user provides credentials. 

Now with all this mentioned above, am I right to assume that the Storefront API is protected by OAuth but tokens can only be acquired by sending the ClientId and Secret? If you don't support the implicit flow, the proxy service might work as it can acquire an OAuth token using the clientId and secret of our app but we still then need to call some sort of "Authenticate User" method on some API at Shopify so that we know to security-trim the user and show the necessary details on his/her orders etc. I have seen methods on the Storefront API to create customers and reset their password but nothing where one can actually log them in? Am I missing something?

0 Likes
SBD_
Shopify Staff
Shopify Staff
1044 141 185

Hey @mvdb,

 

to see their orders etc

You can create a customer access token and then use it to query orders for that specific customer:

 

{
  customer(customerAccessToken:"<customer access token here>") {
    id
    orders(first:1) {
      edges {
        node {
          orderNumber
        }
      }
    }
  }
}

You'd still store the Storefront API access token (which isn't secret) on the device, or proxy through a server.

 

am I right to assume that the Storefront API is protected by OAuth

No, the Storefront API is an unauthenticated public API. All you need is a Storefront API access token. As a private app, you can obtain the token when creating a private app in the Shopify admin. As a public app, you need to obtain the token by using OAuth.

0 Likes
mvdb
New Member
5 0 0

Thanks for the info Scott,

 

I am curious then, how do merchants sign their customers in? You would need some sort of 'Authenticate' api call for the username/password pair of the customer? How would I achieve verifying that the customer is who they say they are?

0 Likes
SBD_
Shopify Staff
Shopify Staff
1044 141 185

Hey @mvdb,

 

In the online store, this is done with a customer login form. For the Storefront API, you can validate credentials by obtaining a customerAccessToken. You can then use that token to request customer specific information (like previous orders).

0 Likes
mvdb
New Member
5 0 0

Hey Greatscott,

 

Thanks for the info, I think I have everything I need to get our work done, I would have to build a custom app that will replace the Customer Login Form and authenticate users to our cloud platforms instead.

 

I don't think that should be impossible to do but will be interesting as our first Shopify app.

 

Thanks for the assist

Michael

0 Likes
asim-zubair
Tourist
4 0 1

Hey mvdb

Are you done with it now?
How are you logging the user in shopify then if the store isn't a shopify plus store?

0 Likes