OAuth Authentication Issue: App Rejected for Not Following Immediate OAuth Requirement

FrenzyRider
Shopify Partner
6 0 3

I'm developing a public app that integrates with Shopify to provide various functionalities. My app recently got rejected during the review process for not adhering to the immediate OAuth authentication requirement.

Current Flow:

  1. User logs in to my software dashboard.
  2. User creates a new Shopify integration, filling in their Shopify shop name and selecting the related my software's store.
  3. User clicks the "Authorize" button, which redirects them to the Shopify OAuth page.
  4. After authorizing the app on Shopify, the user is redirected back to my software.

I spoke to Shopify support, and they couldn't provide code development assistance but suggested I post here.

  1. Questions:

    1. Does my current flow violate Shopify's immediate OAuth requirement?
    2. How can I modify my flow to meet Shopify's guidelines, considering that the OAuth URL requires the {shop} parameter, which is the merchant's Shopify store name?

    Additional Information:

    • Language/Framework: .NET C#, not using any Shopify libraries

    I appreciate any guidance or suggestions you can provide. Thank you for your time!



 

Replies 11 (11)

Liam
Shopify Staff
2731 302 777

Hi FrenzyRider,

 

From your description, your current flow appears to be in line with Shopify's OAuth requirements.

Here's how the OAuth flow should look like for a typical Shopify app:

  1. The merchant installs your app.
  2. Your app redirects the merchant to Shopify's OAuth authorization page.
  3. The merchant decides whether to grant the requested access to your app.
  4. Shopify redirects the merchant to your app along with an authorization code.
  5. Your app makes a request to Shopify to exchange the authorization code for an access token.

If your flow is different from the one described above, then you might be breaking the immediate OAuth requirement.

 

About your second question, the {shop} parameter in the OAuth URL is indeed the merchant's Shopify store name and it must be provided. If the merchant is setting up the integration from within your app, you should already know their Shopify store name. You can include this in the OAuth URL.

If you don't have the Shopify store name at the time of integration setup, you might need to adjust your flow. You could ask for the Shopify store name as part of your integration setup process.

 

In terms of .NET C# libraries, ShopifySharp is a popular choice for developing Shopify integrations. It takes care of much of the complexity of Shopify's API, including OAuth authentication. 

 

Hope this helps!

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

symphonie
Shopify Partner
1 0 1

Hi Liam, we are having the same exact problem. We are following the standard workflow for oauth virtually identical to FrenzyRider:

 

1. User logs into our app
2. Adds basic information for their brand (name and Shopify shop name)
3. Clicks a button to initiate oauth
4. After authorizing, they are redirected back to our software

 

We've tested this workflow a dozen times with the development store and one Shopify brand that used a custom version of our app for beta testing. But Shopify rejected our application and I am confused why. 

 

It seems to me they are doing the oauth process in reverse. They start from Shopify, they initiate oauth and land on our application where we show them a login screen. We ask them to login and - once logged in - then we would proceed with the oauth process. We need the login so we know who you are (we provided Shopify with a test account for this reason). They are rejecting the application with a screenshot of the login page saying "Merchants should not be able to interact with the user interface (UI) before OAuth." But if you don't login, we can't connect the oauth request with the correct account on our side.

invenium viam aut faciam - Hannibal Barca of Carthage
raahulguptahati
Shopify Partner
1 0 1

Hi @symphonie  , @Liam  and @FrenzyRider  ,
We're encountering a similar problem with Shopify OAuth and receiving the following error: "Your app must immediately authenticate using OAuth before any other steps occur. Merchants should not be able to interact with the user interface (UI) before OAuth. We were redirected to your sign-up page upon adding the app." Have you successfully resolved this issue, or could we connect with you for guidance on resolving this error?

FrenzyRider
Shopify Partner
6 0 3

I never managed to get on Shopify's public app. Due to the time constraints we faced, we had to give up on pursuing the public app route. Instead, we either had our clients create a private app for their shop or assisted them in setting it up.

ecommix
Shopify Partner
4 0 0

Hi, we are following a similar approach and received this request from Shopify team:


Your app must immediately authenticate using OAuth before any other steps occur. Merchants should not be able to interact with the user interface (UI) before OAuth.

I think the issue primarily occurs when a merchant installs the app through the Shopify store rather than the web application. In such cases, the app should automatically handle authentication, avoiding the need for the user to sign in or register a new account, perhaps by creating an account automatically upon installation. This is just a guess since there is no way to report this.

ecommix
Shopify Partner
4 0 0

UPDATE: Indeed, this was the issue. When a merchant installs the app directly from the App Store, rather than through our web application, Shopify directs him to our web app. However, we must handle this redirect and navigate the user towards the Shopify OAuth process from there too.

Make sure to test this flow, go to the App Store and try to install your app, if your web app is not navigating you to the Shopify OAuth flow your app won't be approved.

stevenolay
Shopify Partner
2 0 0

When the merchant installs the app directly from the app store, i assume that shopify invokes the APP url that we have specified in the configuration? However, in order to go through the Shopify OAuth Flow, we need to know the shop domain. I am assuming when they call our APP URL they will pass the shop domain as a query param or something?

Was that your experience?

Tihomir_Sokolov
Shopify Partner
3 1 0

Hi,
but we don't want to be a public app we choose an unlisted app and all our clients will find an installation link inside their profile.

If the app is not public how someone will go to this public link?
I can't redirect users inside our platform before they create their own profiles.

visitoredge
Shopify Partner
3 0 0

Hey there!

We've been facing the same issue, any luck with this so far? 

FrenzyRider
Shopify Partner
6 0 3

Hi, I never managed to get on Shopify's public app. Due to the time constraints we faced, we had to give up on pursuing the public app route. Instead, we either had our clients create a private app for their shop or assisted them in setting it up.

supplyq
Shopify Partner
4 0 1

I don't have a solution for you FrenzyRider, but I also wanted to write in (for others that see this post) that I have been experiencing the same issue.

 

Similar to your flow listed above, that was the the initial route I took for users to make an oauth request.  My app was denied due to not immediately authenticating the user once installed from the Shopify app store/testing zone.

 

To fix, I created an entirely separate registration flow, simply for Shopify users.  After testing on one of my test shops, I thought I was good to go, but I continued to receive error messages that my app did not immediately authenticate users (even though I'm 99% certain my new endpoints initiate authentication immediately).

 

To make matters worse, my app has been suspended for 2 weeks for making new submissions, no guidance from Shopify as to what my issue is, save a 5 second screen capture that displays an error message from the authentication attempt (including a url that I cannot decipher in full).

 

However FrenzyRider, I do ask, have you had success with your clients having authenticating from your Current Flow that you have above?  And you just don't have your app listed on  Shopify?