Solved

Shopify App - OAuth

Jautomatic
Shopify Partner
3 0 0

I have a few questions regarding setting up the OAuth flow, mainly about step 2 and 3 here (https://shopify.dev/apps/auth/oauth/getting-started#step-2-verify-the-installation-request).

 

For step 2, when I test my app on the development store by installing the app, I do see the {shop}, {timestamp}, and {hmac} query parameters in the url, but I don't see a {state} parameter. Is that also supposed to be part of the query parameters?

 

For step 3 and building the my own redirect url, can I get elaboration on the {redirect_uri} and {nonce} query parameters? For {redirect_uri}, my understanding is that a user would install my app from Shopify. If the user grants me authorization and allows my app to be installed, where would I be redirecting them to? To my web app or back to Shopify? And for {nonce}, where does that value come from and what do we do with it?

Accepted Solution (1)

ShopifyDevSup
Shopify Staff
1323 218 458

This is an accepted solution.

Hey @Jautomatic, the {state} parameter is connected to the {nonce} value that is set up when requesting access scopes like this: 

https://{shop}.myshopify.com/admin/oauth/authorize?client_id={client_id}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}&grant_options[]={access_mode}
 

The initial GET request to your app that's triggered when a merchant installs the app before the OAuth processing begins on your end does only require the shop, timestamp and hmac params.


The [nonce] value itself is set up through a redirection URL provided by you to the merchant through a 3xx redirect. More information on this here. You can set the {nonce} value to anything you'd like - your app just verifies this value matches the one you provided during the redirect  in order to authorize the app on the merchant's store. I'd also recommend taking a look at our libraries here. We maintain official API libraries for Node.js, PHP and Ruby which include OAuth processes out of the box. There are also a few other third party libraries for other languages out there that may include this functionality.

Hope this helps! 

Developer Support @ Shopify
- Was this reply helpful? Click Like to let us know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

View solution in original post

Reply 1 (1)

ShopifyDevSup
Shopify Staff
1323 218 458

This is an accepted solution.

Hey @Jautomatic, the {state} parameter is connected to the {nonce} value that is set up when requesting access scopes like this: 

https://{shop}.myshopify.com/admin/oauth/authorize?client_id={client_id}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}&grant_options[]={access_mode}
 

The initial GET request to your app that's triggered when a merchant installs the app before the OAuth processing begins on your end does only require the shop, timestamp and hmac params.


The [nonce] value itself is set up through a redirection URL provided by you to the merchant through a 3xx redirect. More information on this here. You can set the {nonce} value to anything you'd like - your app just verifies this value matches the one you provided during the redirect  in order to authorize the app on the merchant's store. I'd also recommend taking a look at our libraries here. We maintain official API libraries for Node.js, PHP and Ruby which include OAuth processes out of the box. There are also a few other third party libraries for other languages out there that may include this functionality.

Hope this helps! 

Developer Support @ Shopify
- Was this reply helpful? Click Like to let us know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog