Oauth requirements for always asking for access

cammark · ‎05-24-2023

Hi,

We submitted our app for review and we received feedback that we need to redirect the user to always "give permission to this app" screen.

Currently, after the user gives the app approval once and then uninstalls the app, on a new install into the same store it allows them straight through as they gave permission before.

However, It looks like we always need to force the ask for permission screen again.

I have looked over the docs and I cannot find what I have to call to enable this functionality. Any help is greatly appreciated as I am starting to tear my hair out

Mark

Shayne · ‎05-24-2023

Hi Mark,

To ensure that the "give permission to this app" screen is always shown, you can include the grant_options[] parameter with the value per-user when generating the authorization URL to create an online access token. This will force the permission screen to show every time, even if the user has already granted permissions before.

Here's an example of how to include the grant_options[] parameter in the authorization URL:

https://<your_shop>.myshopify.com/admin/oauth/authorize?client_id=<your_client_id>&scope=<your_scopes>&redirect_uri=<your_redirect_uri>&state=<your_state>&grant_options[]=per-user

If you also need an offline access token, you can request it invisibly (like you already are).

Hope this helps!

Shayne | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

cammark · ‎05-24-2023

Brilliant, thanks Shayne. I will give this a try!

cammark · ‎05-24-2023

Hi Shayne,

How does the offline access token get generated with the example you gave? Should it auto gen the offline token with that or do I have to specify something in particular?

Cheers

Mark

cammark · ‎05-30-2023

Hi Shayne, any more info you can give please? it is not working as expected

ShopifyDevSup · ‎06-01-2023

Hey @cammark,

The example provided by Shayne above includes the grant_options param in the authorization stage of OAuth and sets the {access_mode} to per_user - see doc here. The confirmation step that precedes, returns an authorization_code that can be exchanged for an access_token using the access token endpoint - see step 5 in the linked doc.

For a bit more context, here is another community discussion about using multiple tokens and access modes in tandem, with some insights on other developers approach. Many developers using this approach, initially request the offline token during app installation for tasks not dependent on individual users' sessions, by omitting the grant_options[] parameter. Then separately request online tokens for each user session, to provide access tailored to the need (more info here).

I hope this helps! If you have any further questions or need more clarification, feel free to ask - Cheers!

@awwdam | Shopify Developer Support

Developer Support @ Shopify
- Was this reply helpful? Click Like to let us know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

cammark · ‎07-17-2023

I have just noticed an issue with this requirement

I have to use &grant_options[]=per-user so it asks the user for permission on each install of the app but the code generated is not an offline token and that is what i need for my applicaiton

what am i meant to do in this situation?

Mark