Focuses on API authentication, access scopes, and permission management.
Hey everyone!
I got a question in regards to the authorization of users. So I followed the OAuth flow until the point where I got the access token for the shop. So far, so good. But when a user is interacting with my non-embedded app now, how do I know the user is actually a user of that shop and not someone else?
When opening the app from Shopify admin, I get the parameters hmac, host, session, shop and timestamp. Is it enough to validate the request using hmac?
Thanks for any help!
Hello there!
Authorizing a user in a non-embedded app on Shopify involves the following steps:
It is important to note that the redirect URL you pass to the Redirect.create method must be whitelisted in the app settings in the Shopify Partner Dashboard. Additionally, the scopes you request must match the permissions you need for your app to function properly. It's also important to make sure that you are handling the access token securely and storing it properly.
Make sure to follow Shopify's guidelines and best practices when developing your app and handling user data. Keep in mind that security is important and the user's trust is valuable.
If this fixed your issue, likes and accepting as a solution are highly appreciated.
Build an online presence with our custom built Shopify Theme EcomifyTheme
Hello @EcomGraduates
Thank you for your reply. But as stated in my initial post, this is what I already have done. My question was, what is the best way to verify, that the user that will talk to my API after the code exchange, is actually part of that shop. The access code only authorizes the backend to talk to shopify, not the user. I was looking for a way to authorize the user to talk to the our backend.
But I assume, that our backend just needs to provide its own access token for the user. I just thought there is an easier solution for it using the data shopify provided.
When accessing the non-embedded app, the user will always go through the normal Shopify OAuth flow first. During that process, it is guaranteed that the user is part of the requesting shop and the request can be verified using the hmac. For further requests to my backend API, I return an access token created by my backend at the end of the OAuth flow. That token contains the shop and is signed using a backend secret (could be the app secret for example).
So basically, I use the OAuth flow to make sure the user belongs to the shop and then create my own access token for the user so they can access my app backend.
In addition, I also provide a refresh token, so the user can refresh its access token.
I am doing research to the OAuth with non-embedded apps, I found that non-embedded apps cannot make use of the App Bridge instance, however, you state different?
So is it possible to use the App Bridge with a non-embedded app to authorize?