Have your say in Community Polls: What was/is your greatest motivation to start your own business?
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Is "Shopify managed installation" ready for production?

Is "Shopify managed installation" ready for production?

boronine
Shopify Partner
12 2 12

We're testing "Shopify managed installation" [1] for our app.

 

This method appears to be recommended by the documentation, but we found two serious problems with it which makes us wonder if it's ready for production.

 

1. If you enable this method (by providing a list of scopes in your shopify.app.toml via Shopify CLI), you will lose the ability to request scopes from a single merchant. We tested this by formatting an authorization code grant [2] with an extra scope not specified in the config file. When we received a callback and exchanged the `code` parameter for an access token [3], the requested scope seems to have been ignored in favour of the scopes provided in shopify.app.toml. We are not sure if this is a bug or intended behavior, but this is a regression in functionality.

 

2. When you add a new scope to shopify.app.toml, Shopify will force all users to upgrade in an unacceptably aggressive manner. There is no way to provide an explanation for why new scopes are requested and no way to opt out of the upgrade. If the user press "Cancel" on the upgrade screen, they will not be able to load the app at all, not even to simply access their own information.

 

Is anyone using this "Shopify managed installation" in production? Is there a way to overcome these problems? Is it just a half-baked feature or is intended for a different type of app?

 

[1] https://shopify.dev/docs/apps/auth/installation

[2] https://shopify.dev/docs/apps/auth/get-access-tokens/authorization-code-grant/getting-started#step-2...

[3] https://shopify.dev/docs/apps/auth/get-access-tokens/authorization-code-grant/getting-started#step-4...

 

Founder and tech lead for Simple Affiliate:
https://apps.shopify.com/simple-affiliate
Replies 2 (2)

kyle_sierens
Shopify Partner
3 0 3

We've experienced the same thing, we've had merchants trying to load our app with success but the but no webhooks are being sent afterwards causing the app to have no record on our DB. This was happening because the Shopify Managed installation was failing at the "scopes stage" and no handling the error or providing feedback. Changing the use_legacy_install_flow = true under the  [access_scopes] in the toml file and things started working again.

jam_chan
Shopify Partner
927 23 190

The same here. I find the process unclear. When I read managed app installation, it says that:

Apps no longer need to implement authorization code grant for installation or access scope changes.

 

However, when I test app on development store in the partner portal, it sends me a get request as mentioned in the authorization code grant - step 1 verify the installation request.

 

Then, do I have to implement the logic again? Or how can I test my app on a dev store?

BYOB - Build Your Own Bundles, SPO - SEO App to research keywords & edit social link preview