Focuses on API authentication, access scopes, and permission management.
Hi,
I am building a shopify store and would like to ensure that it is only available for use to users of my existing (external system). I have read the docs and it seems to be pointing me in the direction of using Multipass which seems like it could fit my needs but I am not sure how to "require" that all users authenticate using my external system.
Is there a setting in shopify which I need to configure in order to redirect all unauthenticated users to a specific page (in my case, an external website/url's login page).
Additionally, while I understand that by using Multipass I can allow users to login to my external site/system, the process seems to suggest that upon successful authentication in my system I should redirect the user to my store /multipass/[token].
Is there anything preventing a malicious user from copy/pasting this multipass/[token] and sharing it with another user? I understand the docs say this specific token based URL can only be used once, but couldn't the user simply log in to my system again to generate a new multipass/[token] url and, for example, prevent their browser from making a request to the multipass/[token] url, instead they share the url with a user who does not have a login?