Solved

OAUTH Flow - Unlisted App

mdobrenko
Tourist
5 0 0

I recently submitted my first Shopify application for review. It is an unlisted app, and is meant to be used as an in-house tool, and doesn't actually have a registration flow.

It got denied because apparently the OAUTH must first be triggered before the app is event installed/used. However, since it's an unlisted app, to even install the app the user would have to had first logged in, and then gone ahead and linked up a Shopify store. Even if we had a registration/signup, they would have to go through that first, so I just don't see how it's possible?

Has anyone dealt with something like this? Is this requirement actually in place for all app types? If so, how would you get past this? The OAUTH works perfectly fine if you first access my app, and then go and add the dev store (assuming it has been added already in the shopify partners portal).

 

 

 

Accepted Solution (1)
HunkyBill
Shopify Expert
4845 60 547

This is an accepted solution.

I think the only thing you got wrong is the actual user flow you expect. When a user accesses your App via an URL, they do not LOGIN to your App, instead, they provide the shop name so you can initiate oAuth. That is where you made a mistake I think. If you want people to login to your App, separate from Shopify, you do that at some other URL, and take of that outside the Shopify flow.

 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com

View solution in original post

Replies 16 (16)

HunkyBill
Shopify Expert
4845 60 547

All Apps have a registration flow, private, custom, unlisted or public. Nothing changes there. You have to do oAuth to register a store in your App. It makes sense that if a store does not have your App installed, that the first thing that happens is oAuth. That allows the Shop to know about your App wanting to be installed, to allow the merchant to approve that install, and finally, to give your App the much needed token to access the store as needed.

Maybe if you point out more details on just what your hangup is, someone could steer your closer to your goal.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
mdobrenko
Tourist
5 0 0

Thanks for the response here.

So the concept of asking for permission via OAUTH makes sense. However, it seems that the way the bot is checking this is:

1) Access app via URL
2) Check to see if OAUTH request is the first thing that it sees

But the actual user flow would be something like this:

1) Access app via URL
2) Login to the app, and then navigate to a 'connect my store' function
3) Specify the myshopify URL so that we know which store to generate the OAUTH request for
4) Once they click a 'connect' button, they get redirected to OAUTH and grant (or deny) permission to get their store data

It seems like the Shopify review bot is coming from some 'install app' URL, when this will never be a part of the actual flow in production for an unlisted app?

HunkyBill
Shopify Expert
4845 60 547

This is an accepted solution.

I think the only thing you got wrong is the actual user flow you expect. When a user accesses your App via an URL, they do not LOGIN to your App, instead, they provide the shop name so you can initiate oAuth. That is where you made a mistake I think. If you want people to login to your App, separate from Shopify, you do that at some other URL, and take of that outside the Shopify flow.

 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
mdobrenko
Tourist
5 0 0

Ah yep -- that was it, 100%. I didn't realize the difference between someone clicking on the app vs accessing the app via app.whateverapp.com. Figured clicking on the app should just redirect to app.whateverapp.com...

Appreciate it!!

sirena
Tourist
6 0 0

Hi, I'm having the same issue. How did you solve it? What URL do you put on the "App URL" input? I have the same user flow and in order to install the Shopify App the users must log in on my platform and then go ahead and link up a Shopify store.

HunkyBill
Shopify Expert
4845 60 547

You must separate YOUR App login from anything to do with Shopify. No one cares how you log people in to your App, but there should be zero concern for that coming from the oAuth pattern. You use oAuth to authenticate with Shopify, and that has zero to do with accounts logged into your App. So create an URL in your partner dashboard App setup that works for oAuth with Shopify. If you do anything to interfere with basic oAuth, you will fail, and that is not a good start!

 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
sirena
Tourist
6 0 0

So basically I have to create an URL where users can log in to my app through Shopify using oAuth just for the review? 

HunkyBill
Shopify Expert
4845 60 547

The endpoint you create is not just for the review. No. That would be silly, having to do something just for review.

The fact is, you cannot authenticate with Shopify without using oAuth, and the approach to using oAuth means having an endpoint, that initiates oAuth flow. You get that. You provide a shop name, and Shopify takes care of the back and forth till ultimately, you get a token that you can use to authenticate, authorized by the merchant, to see the resources they allow you to work with.

Not sure why you feel this is an undue burden, but it is what it is.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
bbornsztein
Visitor
3 0 0

@HunkyBill similar case here: my users log into my application on a unique subdomain (i.e. https://mycompany.app.com). The Shopify integration isn't meant to be listed in the App store - the oAuth will be initiated by the user from *within* our application, after they've created an account with us and logged in. 

The app submission bot reviews the app as though it is intended to be listed (even though it's not), and clicks on the 'Add App' button in the App Store, but it uses the www.app.com subdomain, instead of a unique subdomain (obviously, since it's not logged in). 

Any suggestions on how I could resolve this? 

 

Edit: to clarify - I don't want users to be able to create their accounts in our system during via oAuth. They need to create an account with us, log in, and then initiate oAuth, and that needs to happen on a unique subdomain.

HunkyBill
Shopify Expert
4845 60 547

Again. It makes no difference whether an account exists in your App outside Shopify or not. The only that does matter is that you establish the *.msyhopify.com domain name representing the store you wish to connect the user to. So for that, you do oAuth sending that shop name to the oAuth endpoint. This has nothing to do with review Bot, but simply how you setup your App in Shopify and initiating oAuth.

 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
bbornsztein
Visitor
3 0 0

Thanks for the quick reply - and I don't mean to bother you with a question that you've already answered.

But in my case it does make a difference, because I can't perform the oAuth process on the main (www.myapp.com) subdomain. I could certainly redirect to the oAuth endpoint with the shop param that I get from the URL the bot hits, but then I don't know which of my subdomains (company123.myapp.com) to log the user into. I can't set up my app in Shopify to initial oAuth at company123.myapp.com, because every user has a different subdomain. My users are authenticated under their subdomain, not the the www subdomain.

Hope that makes sense, and thanks in advance for any help you can offer.

HunkyBill
Shopify Expert
4845 60 547

Ya. You are better off dealing with the oAuth from ONE domain, your App domain. Once done with that, THEN and only then do you internally redirect to the subdomain you set for that user. That is easy enough for you to manage. You are cross-wiring oAuth for your App to Shopify with these subdomains, which is totally not necessary. Your act of subdomaining user accounts is irrelevant to the process of oAuth... no need to complicate your life there!

 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
bbornsztein
Visitor
3 0 0

Thanks - for others coming along here, here's how I'm dealing with this:

1. Receive request from the Shopify App store: www.mydomain.com?shop=usershop.myshopify.com&hmac=1234567

2. Initial the oAuth request, passing the shop domain

3. Capture the oAuth credentials response, save the token to the DB (without tying it to any of my users, since I don't know who's logged in yet)

4. Ask the user to log in

5. Once logged in, associate the previously saved token to the now logged in user.

HunkyBill
Shopify Expert
4845 60 547

Super. Glad it all worked out. That was easy.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
leadsbridge
Visitor
2 0 0

Hi team,

We are having the same issue and maybe, thanks to this thread, we understand where is the issue.

Our app was rejected (multiple times) saying that the oauth flow was not implemented properly (and to be honest, without a lot of more details).

 

We use the billing API too (when needed) so, during the oauth, we need to authenticate the user to our app too in order to create a correct subscription and associate to the app user.

 

Based on the below image (Oauth flow) we are asking the user to login to our app during step (2) and for this reason, the app was rejected. My understanding is that we need to move the logic in step (5) where we will get the "code" returned by the Oauth process.

 

In this step, I suppose that we can:

  1. Generate the token
  2. Ask the user to authenticate to our app (they can sign in or sign-up)
  3. Do, when needed, additional Billing API calls and eventually (when the API calls are done) redirect the user to the Billing confirmation page returned by your API.

leadsbridge_0-1639644827022.png

Am I right?

Thanks for your help, Alex.

 

ConnectorTeam
Shopify Partner
2 0 0

I'm considering doing something similar to what @leadsbridge suggests here. @leadsbridge did this work? Anyone else, is this a correct approach?