Can't an embedded app set a 1st party cookie when the user visits its domain during the OAuth flow?
- The user loads the app foo.myshopify.com/apps/bar.
- When the app is loaded in its iFrame, the browser will send bar.com any of its own 1st party cookies, right? In which case the app can behave normally.
To set a new 1st party cookie for the app
- The user visit foo.myshopify.com/apps/bar.
- The app loads an empty page.
- The empty page requests an AppBridge redirect (https://shopify.dev/apps/tools/app-bridge/actions/navigation/redirect) to the app bar.com?shop=....
- Now the user is in a 1st party context. The app can now do an OAuth flow, redirecting the user back to Shopify to authenticate.
- The user authenticates on Shopify and then redirects the user back to Bar.com/callback
- At the OAuth callback step the app sets a 1st party cookie.
- Now the app redirects the user back to foo.myshopify.com/apps/bar.
- Shopify loads the app in an iFrame. The browser sends Bar.com its own 1st party cookie which authenticates the user.
I think I must be mistaken about the browser sending 1st party cookies to an iFrame... Otherwise I don't see how an embedded app ever uses 3rd party cookies...
Check out why Shopify store owners are switching to
Horse for all of their inventory management needs.
Shopify Discussion
Partners and Developers