Hello, I'm currently developing an embedded app. To facilitate testing before publishing I've made a page that requests authorization on the unpublished app so it can be installed and tested on other people's stores.
When creating the `oauth/authorize` request I make sure to pass the client_id, redirect_uri, scope and state parameters. Everything works fine if the user has logged in their store admin before making the installation request and my redirect_uri is properly receiving all of the parameters that it should: code, hmac, shop, state and timestamp.
If the user has not logged into their store admin before hand though this is what happens:
They are first redirected to the Shopify login page and after logging in they are shown the confirmation dialog from Shopify, everything so far is as expected. But when they are redirected to the redirect_uri after confirming the request I don't receive the state parameter back. I then have only these paramters passed to me from Shopify: code, hmac, shop and timestamp. After that, of course, my validation fails, because it couldn't verify the request.
I can see when I'm on the confirmation page (`admin/oauth/request_grant`) that the state param is in the GET parameters, like this:
The redacted state here is the correct one that I've originally sent.
Am I missing something obvious here or is this a potential bug?
I facing the same issue I am passing a state but the half of the state is coming, for example if I pass state url
https://myapplication/#/landing?integration_key=thirdparty, but the state once it return to my app it will be only https://myapplication.
Even I have checked quoting the state url also not help