Dedicated to the Hydrogen framework, headless commerce, and building custom storefronts using the Storefront API.
Hello,
We (as a Shop Owner) want to use Shopify as a IdP (OAuth2, OpenID Connect) for a mobile app we've created. The Customers of our Shop should be able to sign in into the mobile app and communicate with our own backend. The backend should be able to identify the Customer, gain some more insights about the Customers orders, profile information etc. Our apps with the backend mainly will just use Shopify for authenticating Customers and reading the Customers information.
A great requirement is to not log out logged in Customers from the App. Once a Customer is logged in the state should stay for months or years based on the activity. We dont want the Customer to sign in every time he opens the mobile app.
Another requirement is to open the Shopify shop in a webview in the mobile app with the logged in user also logged in in the shop!
## Expectation
Weve expected to be able to leverage an OAuth flow for authenticating a Shop Customer gaining access- and refresh-tokens we could then refresh until invalidation. The apps would do that and provide a valid access-token on each request to our backend which then could validate the proviced access-token and identify the Customer.
## State
Weve explored the possibilities of the APIs proviced by Shopify and realized that the main usecase for the apps is to enance the Shopify expience of the Customers by hooking into the Shop. But this is not our use case. Our mobile app provides a dedicated service for our Shops Customers meaning it does not fit into Shopifys definition of an "app".
We found that the Storefront API provides a way to authenticate a Customer via the `customerAccessTokenCreate*` mutation. But unfortunately it seems not usable for our case:
Once an AccessToken expires, it can not be renewed anymore leading to the user being logged out and forced to relogin with his credenctials. This breaks the requirement that the user should be left logged in for months/years. To avoid that we would need some refresh-token mechanism but this seems to be not the case here.
On mobile platforms we can not ensure the app wakes up before an access-token expires to renew it on time, its not a reliable solution. We could instead save the users password in the app locally but this undermines security and also this would still log out a user if the password gets changed.
Another way we elaborated was the client exchanging the Shopify access-token with one provided by our backend. The backend would validate it somehow (this needs to be elaborated further!) and than discard the Shopify access-token because we can not ensure to always refresh a big amount of user access-tokens on time and we definitely would run into a rate limit here.
We would than need to periodically sync the Customer account to detect changes, deletions etc.
But unfortunatly this solution would break the second requirement which says that the logged in user also is logged in in the shop when opening it in-app in a webview. For this to work we need a multipass access-token.
I hope that someone can help us to solve this problem.
The closest way that I can see to get what you want is to manage the user database in your platform and use Multipass to authenticate with Shopify. That way you have full control of how long they are logged in for and any time you need Shopify data from their customer account you can use customerAccessTokenCreateWithMultipass to get a new access token, then query as necessary. This, as you noted at the end, will also let you automatically log them into the webview.
I think a customer access token is valid for around two months, and for what it's worth if I was using an app I'd be fine having to authenticate again at that point.