We are building a mobile app that's consuming a custom API built in Ruby on Rails. Users of this app, which are customers on the Shopify store, need to be able to login.
Our goal is that the Ruby on Rails API and database don't persist the password, but rather use the Shopify credentials that were entered during customer registration on the Shopify store.
That way, the users don't have to register on the Shopify store and in the mobile app. We thought the OAuth flow is a perfect candidate for this, but unfortunately, once the request phase is completed and the user lands on the Shopify login page (app_domain.myshopify.com/admin/oauth/authorize?client_id=***) only admins can login, not customers.
The form is a 2-step process, where the 1st step is entering the email. After using admin emails, the flow continues onto the 2nd step (entering password), but if we try and use a customer email, the form display an error that this account can't be found on our store.
We expected that customer accounts will also be able to login, and the response would contain a Customer object, but since this is not the case, we need a different solution.
I tried finding an API inside the Customer API documentation but there is no endpoint that receives an email and password and returns a customer object if the email and password matches a customer record in the Shopify store database, or a 404 HTTP status code in case the credentials are invalid.
Can someone please confirm that the OAuth flow doesn't provide customer account authentication and that Shopify doesn't provide any means to authenticate customer accounts?