Focuses on API authentication, access scopes, and permission management.
We're testing "Shopify managed installation" [1] for our app.
This method appears to be recommended by the documentation, but we found two serious problems with it which makes us wonder if it's ready for production.
1. If you enable this method (by providing a list of scopes in your shopify.app.toml via Shopify CLI), you will lose the ability to request scopes from a single merchant. We tested this by formatting an authorization code grant [2] with an extra scope not specified in the config file. When we received a callback and exchanged the `code` parameter for an access token [3], the requested scope seems to have been ignored in favour of the scopes provided in shopify.app.toml. We are not sure if this is a bug or intended behavior, but this is a regression in functionality.
2. When you add a new scope to shopify.app.toml, Shopify will force all users to upgrade in an unacceptably aggressive manner. There is no way to provide an explanation for why new scopes are requested and no way to opt out of the upgrade. If the user press "Cancel" on the upgrade screen, they will not be able to load the app at all, not even to simply access their own information.
Is anyone using this "Shopify managed installation" in production? Is there a way to overcome these problems? Is it just a half-baked feature or is intended for a different type of app?
[1] https://shopify.dev/docs/apps/auth/installation
We've experienced the same thing, we've had merchants trying to load our app with success but the but no webhooks are being sent afterwards causing the app to have no record on our DB. This was happening because the Shopify Managed installation was failing at the "scopes stage" and no handling the error or providing feedback. Changing the use_legacy_install_flow = true under the [access_scopes] in the toml file and things started working again.
The same here. I find the process unclear. When I read managed app installation, it says that:
Apps no longer need to implement authorization code grant for installation or access scope changes.
However, when I test app on development store in the partner portal, it sends me a get request as mentioned in the authorization code grant - step 1 verify the installation request.
Then, do I have to implement the logic again? Or how can I test my app on a dev store?