Embedded App OAuth redirect endless loop

Shaibt
Shopify Partner
34 1 31

Hi,

We have a working embedded app that can successfully go through OAuth flow and present our app embedded in Shopify Admin.

So far our app link has been pointing to our server OAuth EP to start and complete the flow. The one thing we never did is implement the recommended OAuth redirect script as explain here: App Bridge - Authenticate with OAuth . Meaning that our current OAuth process is not escaped from the iFrame and the OAuth scopes accept screen cannot be shown if required to.

We implemented the script as shown in the example using App Bridge Redirect. Now the OAuth process starts with the script.

The problem is: when trying to access our app on Shopify Admin, this results in an endless loop between Shopfiy and our App that ends with this error:

 

The app couldn’t be loaded

This app can’t load due to an issue with browser cookies. Try enabling cookies in your browser, switching to another browser , or contacting the developer to get support.

 

The URL shows: "https://shopOrigin/admin/apps?app_id=XXXXX&oauth_error=same_site_cookies "

Looking at Chrome console we can see:

  1. script is called and identifies its in an iframe - uses App Bridge Redirect to redirect to shop permission url
  2. permission EP calls our OAuth redirect callback successfully and token is exchanged
  3. after token exchange our OAuth callback redirects the client to our app root url
  4. our app root url initiates react-app-bridge provider (with forceRedirect===true)

Instead of landing in the embedded app's landing page as expected the whole process is started again in a loop for 3-4 times until we receive the error above.

The thing is - our app doesn't use cookies at all so I don't understand the `same_site_cookie` error. Also, Chrome debug tools doesn't indicate any Samesite cookie issues either.

 

Replies 11 (11)

jhickman-shilo
Visitor
2 0 0

I have the same issue. Custom application written in Python Flask. Works correctly in FireFox and Chromium, get the error in Google Chrome.

tecsploit
Tourist
10 0 2

Hi Guys,

did you ever get a solution to this? I have a similar issue, my app installs and authenticates fine, but if you refresh the browser 3-4 times in a row in a 1 minute window, on the last time  I get this error

Refused to display 'https://xxxx.myshopify.com/admin/apps?app_id=xxxx&oauth_error=same_site_cookies' in a frame because it set 'X-Frame-Options' to 'deny'.

 

 

Shaibt
Shopify Partner
34 1 31

 

Never was able to work out why this isn't working as expected.

As interim solution we took our admin app outside of the embedded Shopify admin pages - at least until they find a more robust method to integrate into admin and work around all the 3rd party cookie issues (again, our app doesn't even use cookies).

 

Bigjjjim
Shopify Partner
10 0 1

Facing exactly the same situation. Is there still no way around this? 

OrderMagik
Tourist
3 0 0

Facing this issue as well. Does anyone have a solution or documentation to point to? Simply switching to Firefox or another browser isn't fixing this for us.

matiasturunen
Tourist
8 2 3

Has anyone got this resolved? I'm currently experiencing this issue as well.

arsuceno
Shopify Partner
21 0 14

I'm having this issue in a very random way and only in a really few cases. But the same computer and the same Chrome browser sometimes work and sometimes don't. So it's quite difficult to find a specific cause. Suggestions appreciated.

MartinKrauser
Shopify Partner
2 0 0

I'm having the exact same issue - with the app template the CLI installed, no less. It failed to load in the Admin UI out of the box.

minsko
Shopify Partner
22 2 4

The "oauth_error=same_site_cookies" error can occur if the access scopes configured on the deployed server do not match the scopes defined for the app in in Shopify. 

michsko544
Shopify Partner
3 0 7

In my case, the problem of infinite OAuth redirects was caused by inconsistent access scopes. 
Run the command `pnpm run shopify app info` and check the access scopes. It must be the same as access scopes defined on the production server in the .env file. If it is different you have to change the config locally and push it with `pnpm run shopify app config push` command.

Jclewis1989
Shopify Partner
18 1 4

@michsko544 - Thank you. That was incredibly helpful and the appropriate fix for me as well. I really appreciate you posting your solution.

James Lewis