App rejected: Use OAuth to ask for scope permissions immediately

New Member
2 0 0


Our app was rejected for the following reason: 

Use OAuth to ask for scope permissions immediately after someone adds your app. Refer to our guide on authentication on install and review this example of what the required installation flow looks like.

See video here of our current installation flow from a test development store. From what I can see, we are indeed immediately asking for scope permissions with an immediate redirect and no intermediate loading page (as I saw was the issue in other posts).

One thing I have noticed we've omitted is the 'state={nonce}' parameter in the redirect URI (see Step 2: Ask for permission). Would the absence of this parameter cause the App Scanner to throw the above failure? We're adding the nonce parameter and nonce check during the Step 3: Confirm installation but I just wanted to get your thoughts on whether this is the underlying cause of the reject or if I'm missing something else.

Kind regards,