Shopify Auth

Highlighted
New Member
6 0 0

Trying to set up authorization and I'm a little confused...

In my original submission it was rejected because I was missing the redirect to shopify.com/admin/oauth/request_grant.

So I added this - and it displays the grant access screen on Shopify, but when the user clicks install and it returns to my redirect uri its missing the state param (which ultimately causes validation failure on my app).

In the documentation re. auth https://shopify.dev/tutorials/authenticate-with-oauth  it does not mention request_grant endpoint at all, but rather https://{shop}.myshopify.com/admin/oauth/authorize?. 

Now this url does not display the grant access screen on Shopify but does return to my redirect uri with the state param, passing validation.

I'm not sure which URL is the correct one to use and what to do about the missing state param.

Any insight into this issue would be appreciated, thank you!

0 Likes
Highlighted
Trailblazer
134 12 22

What is your permission URL (the one you construct for OAuth) and what is your redirect URI?

0 Likes
Highlighted
New Member
6 0 0

well I've tried both https://{shop}.myshopify.com/admin/oauth/authorize (like the docs say) and https://{shop}.myshopify.com/admin/oauth/request_grant (which my submission rejection email says to do).  

Then my redirect uri just goes back to my app.  /authorize doesnt present the grant access screen on shopify, but returns state correctly to my redirect.  request_grant works as I would expect it to from the user's perspective, but does not return the state to the redirect uri.

0 Likes
Highlighted
Trailblazer
134 12 22

Hmm well I haven't yet gone through the approval process so take this for what it's worth, but just to confirm are you constructing the full permission URL with all the parameters below (I think grant_options might be optional?)

 

https://{shop}.myshopify.com/admin/oauth/authorize?client_id={api_key}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}&grant_options[]={access_mode}

 

0 Likes
Highlighted
Tourist
10 0 2

Hi Guys,

I know this is an old thread but did you ever get to the bottom of it? Im getting the same issue, my app is failing the automated tests, saying that I need to redirect to 

https://xxxx.myshopify.com/admin/oauth/request_grant

But the docs say i should use

https://xxxx.myshopify.com/admin/oauth/authorize

I am adding all the params as per the docs, and installing onto a dev site, uninstalling and re-installing works fine. Can anyone confirm which URL is correct? I assume its the authorize one as per the docs?

thanks

0 Likes
Highlighted
Shopify Partner
40 3 14

I know this may be a silly questions and that they often point people to this forum, but have you tried opening a ticket with Shopify support directly? I have made a couple of apps but nothing published yet so I can't speak for this exact issue of using the "wrong" URL. The doc does say '/authorize' but they are making lots of changes lately and it would not be unheard of for docs to be out of date.

Out of curiosity, are you coding the Oauth my hand or using a framework of some sort?

0 Likes
Highlighted
Tourist
10 0 2

Hey,

I haven't logged a support ticket, but I'll try that next, I'm coding the oath by hand, using Shopify Sharpe as reference, it works great on a dev site but I can't get it passed the automated tests and the error they are giving me doesn't help me identify the problem unfortunately

I've read a lot of posts on here a d tried all sorts of changes, it would be good to know definitely what the correct urls are in what circumstances, some people have said that the URL needs to be different after the initial install - but this isn't documenter, I've tried it but that causes me an x-frame related error and I don't know whether trying to fix that is a wast of time or not!!

Thanks for the suggestion!

 

0 Likes
Highlighted
Shopify Partner
40 3 14

Sure thing. If you are able to get an answer back from Shopify Support definitely post back here and let us know. I hope to be sending my first app through the publishing process soon, so this would definitely be good to know.

As far as the URL being different for post install, I do not believe this is correct. I had actually originally opened a post on this forum about that (https://community.shopify.com/c/Technical-Q-A/Setting-Shopify-App-Dashboard-URL-vs-Install-URL/m-p/6...). I have since discovered that it is indeed the same URL for install as it is for opening the app from the dashboard. The key here is more of in permissions. Every time your app gets accessed it needs to run through the Oauth, not just for install. This is for security reasons. If it did not need the same Oauth then there would be a major hole in the security of the apps. But essentially the next time around, when going through the Oauth handshake for opening the app, not installing, as long as the permissions required hasn't changed it will not display the install/update prompt for the store owner and will end with your final redirect URL.

0 Likes
Highlighted
Excursionist
28 0 3

@Martin_Caum you are correct that there is no different link pre vs post install and that if someone who already has it installed goes through that link there is no harm, but it is not correct that you must route the user through OAuth permission URL every time. 

What I do for my app when a merchant hits the app is 1) I check if I actually have an access token and if so then 2) I hit the shop endpoint to see if the access token I have is valid. You also need to check for a valid charge_id at some point in there. When you're coding all of this logic by hand (like I did), it's quite manual and very confusing - I believe Shopify's node / rails libraries take care of all this heavy lifting for you (my next app is utilizing the shopify_app Rails library). 

0 Likes
Highlighted
Shopify Partner
40 3 14

Interesting. I was under the impression the Oauth was needed every time. But shouldn't it still be done for security reasons? Otherwise it is hard to verify that the call is coming from Shopify for real and this could open things up to hackers (unless your app requires a login on your side). So if just calling the endpoint allows the client to view it, as long as the token checks out on your backend, then basically anyone can go directly to the endpoint and have immediate access to the app that depending on what it does would be very dangerous. And you can't just go off of referrer URL because that can easily be spoofed. If I am missing something else let me know, but it seems to me like the Oauth every time is a good security measure at the least.

In response to your comment about their frameworks handling all the heavy lifting, this is true. But I had nothing but issues trying to work with the Ruby one. I spent less time doing it by hand and have a much lighter app that way as well. I am going to give the Node.js one a try at some point. But for now, I am just going to stick to manually coding in PHP.

0 Likes