read_all_orders scope not returned on first oauth

auridas-monetha
New Member
5 0 0

I'm having a strange issue where during first oauth handshake during app install I'm not getting read_all_orders scope.

We're requesting the following scopes: 

read_products,read_customers,read_discounts,read_orders,read_script_tags,write_script_tags,read_all_orders

However, only the below ones are available when checking the provided access token (note the missing read_all_orders)

 

{
    "access_scopes": [
        {
            "handle": "read_products"
        },
        {
            "handle": "read_customers"
        },
        {
            "handle": "read_discounts"
        },
        {
            "handle": "read_orders"
        },
        {
            "handle": "write_script_tags"
        },
        {
            "handle": "read_script_tags"
        }
    ]
}

 

 

We do have the read_all_orders confirmed by Shopify and user sees the notice in oauth dialog that "Shopify has confirmed app needs access to all order history".

When merchant tries to access the installed app, we are requesting the same scopes, and user again gets oauth dialog (I assume because Shopify detects that read_all_orders is not provided) and when user clicks "Update app installation", then the read_all_orders is provided and on subsequent access no oauth dialog is thrown. 

Does anyone have any idea why read_all_orders is not provided during install but only on second oauth handshake?

Replies 6 (6)

awwdam
Shopify Staff
249 42 36

Hey @auridas-monetha,

From my understanding if your initial request included the scope there shouldn't need to be a second step. In the case the app was already installed and the scopes change - these steps would need to be followed, which would be an expected additional step.

If your still experiencing functionality different from what those documents explain, please feel free to share an example x-request-id header returned from your apps initial OAuth request. This should be from the most recent example you have where you needed a subsequent request (ideally within the last week or so)? 

I'd be happy to take a look at related logs and pass on any insights - Cheers!

awwdam | API Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

auridas-monetha
New Member
5 0 0

Hi @awwdam and many thanks for answering.

 

I'm not quite sure how to get the x-request-id header for the response - should I be able to see it in one of the requests of, e.g. chrome devtools network tab? If so, which request should it be? As we provide callback url, I understand Shopify immediately calls it so the requests get overwritten on the network tab and I probably can't see them.

 

awwdam
Shopify Staff
249 42 36

Hey @auridas-monetha,

Thanks for getting back here. Just wanted to connect again to pass on a few suggestions to help moving forward, but first quickly wanted to acknowledge that every developer can have a preference of tools, workflows and setups, so ultimately use what you feel works best! 

That said, when it comes to working with the APIs we provide, our server response should always include a response code( 200, 400, etc), a payload or json body, as well as  response headers. Of those headers, the x-request-id header gives us a unique starting point for troubleshooting, allowing us to consult our logs, investigate unexpected errors, and when necessary pass on insights or suggestions. Whilst our team is unable to provide authenticated support though these these forums, that header can be shared  even for more generic troubleshooting. 

Here are a few suggestions for next steps:

First, though highly dependant on the development stack you are building with, adding some sort of request/response logging into an app offers an incredible boon to the development process, most notably for maintenance and troubleshooting. Even 'short term' logging of a few days can provide a record and system for locating errors or tracking issues.

If this is not possible at the moment, another approach would be to use the app's credentials to manually test and debug the OAuth process using our guide, ruling out any possible issues with what the app follows programmatically. While this takes time, suggest working through the installation process using an API client such as Postman or Insomnia, and keeping track manually of headers or steps to cross reference.  

If you are able to reproduce this and share that info here, I would be happy to take a closer look - Cheers!

awwdam | API Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

auridas-monetha
New Member
5 0 0

Many thanks @awwdam 

I sent a request via Postman to
 
 
Here's the X-Request-Id header of a response (200):
2bcac5f9-7671-450b-ad3d-54147254c6cb
 
Hope you can see something on your end.
awwdam
Shopify Staff
249 42 36

Hey @auridas-monetha,

Thanks for taking the time to locate an x-request-id header and sharing it. After taking a closer look, nothing about that request appeared out of the ordinary or unexpected. Because all public and custom apps are required to use OAuth, I touched base with my team to check if there are any recent or known issues around this, but found nothing directly related.

That said, I'd suggest starting with our documentation on app OAuth (step-by-step guide here) to confirm all the necessary steps are being followed. It often helps to use new or even multiple development stores for testing if you aren't already. In the case that this is a public app that hasn't been reviewed yet, there are some unique steps outlined in this testing guide. Lastly, below are a few more resources that may be worth reviewing if applicable to the app in question.

  1. Generating permanent access tokens - More insights on online and offline access modes here. 
  2. Apps that utilize multiple access tokens. If this applies to your app, I would suggest reviewing this guide on delegating access tokens. 
  3. Authenticating embedded app. There are specific tools and processes that need to be used, start by reviewing this guide on setting up session tokens.

Let me know if you are able to work through this or come across any other helpful insights - Cheers!

awwdam | API Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

auridas-monetha
New Member
5 0 0

Hi @awwdam 

Thanks for the reply. I'm not sure I got my point across the first time, but the problem is with the scopes of the token that the Shopify generates when user clicks "Install app" the first time (when accepting Oauth dialog)

Is it possible to simulate this "acceptance" in any way? If not, I could provide you the token itself which has missing "read_all_orders" scope, if that would be of any help, since you've seen that the "read_all_orders" scope is definitely requested by us.