Embedded App OAuth redirect endless loop

Shopify Partner
24 1 16


We have a working embedded app that can successfully go through OAuth flow and present our app embedded in Shopify Admin.

So far our app link has been pointing to our server OAuth EP to start and complete the flow. The one thing we never did is implement the recommended OAuth redirect script as explain here: App Bridge - Authenticate with OAuth . Meaning that our current OAuth process is not escaped from the iFrame and the OAuth scopes accept screen cannot be shown if required to.

We implemented the script as shown in the example using App Bridge Redirect. Now the OAuth process starts with the script.

The problem is: when trying to access our app on Shopify Admin, this results in an endless loop between Shopfiy and our App that ends with this error:


The app couldn’t be loaded

This app can’t load due to an issue with browser cookies. Try enabling cookies in your browser, switching to another browser , or contacting the developer to get support.


The URL shows: "https://shopOrigin/admin/apps?app_id=XXXXX&oauth_error=same_site_cookies "

Looking at Chrome console we can see:

  1. script is called and identifies its in an iframe - uses App Bridge Redirect to redirect to shop permission url
  2. permission EP calls our OAuth redirect callback successfully and token is exchanged
  3. after token exchange our OAuth callback redirects the client to our app root url
  4. our app root url initiates react-app-bridge provider (with forceRedirect===true)

Instead of landing in the embedded app's landing page as expected the whole process is started again in a loop for 3-4 times until we receive the error above.

The thing is - our app doesn't use cookies at all so I don't understand the `same_site_cookie` error. Also, Chrome debug tools doesn't indicate any Samesite cookie issues either.


Replies 6 (6)
New Member
2 0 0

I have the same issue. Custom application written in Python Flask. Works correctly in FireFox and Chromium, get the error in Google Chrome.

10 0 2

Hi Guys,

did you ever get a solution to this? I have a similar issue, my app installs and authenticates fine, but if you refresh the browser 3-4 times in a row in a 1 minute window, on the last time  I get this error

Refused to display 'https://xxxx.myshopify.com/admin/apps?app_id=xxxx&oauth_error=same_site_cookies' in a frame because it set 'X-Frame-Options' to 'deny'.



Shopify Partner
24 1 16


Never was able to work out why this isn't working as expected.

As interim solution we took our admin app outside of the embedded Shopify admin pages - at least until they find a more robust method to integrate into admin and work around all the 3rd party cookie issues (again, our app doesn't even use cookies).


Shopify Partner
5 0 0

Facing exactly the same situation. Is there still no way around this? 

3 0 0

Facing this issue as well. Does anyone have a solution or documentation to point to? Simply switching to Firefox or another browser isn't fixing this for us.

8 2 3

Has anyone got this resolved? I'm currently experiencing this issue as well.