What's your biggest current challenge? Have your say in Community Polls along the right column.
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Store customer accounts to login to a third-party service?

Store customer accounts to login to a third-party service?

godlike
Tourist
4 0 4

Hello Shopify Developers,

 

I create a multi-user self-hosted software for image sharing (Chevereto) and I got a request from a fairly popular Shopify store that wants to integrate their user accounts with my software. After reading the docs and this forum I was unable to find an answer to whatever the requirement can be fulfilled.

 

My software supports OAuth2 and my first attempt was to built upon that. Unfortunately, Shopify OAuth2 is only for admin API? It could be great if store users could login in third-party websites but I understand that it won't happen anytime soon.

 

At this point my strategy is leaning towards using the admin API to check against the store customer's address when an user attempts to register/login at my end. That way only users at the store can use the system and I could send them a session login link so they don't get the hassle of another password.

 

I wonder if someone here has tried something similar or if there are other workarounds that I'm missing.

 

Here's the original requirement sent by the customer:

 

I'm looking to build a webapp off of my shopify store that allows collectors to upload, manage, and share photos of their collections.

 
I would ideally like to host on my AWS account, and use my current Shopify customer accounts as users.

Cheers!

Replies 6 (6)

stats_marketing
Shopify Partner
26 3 15

Is there a way you can utilize MultiPass ?

 

Basically it re-directs users to a Shopify login page.  Once logged in, you could use that `Customers` information via Shopify APIs to store in your DB on AWS along with any photos they need uploaded.

 

Perhaps that can help with the login requirement.

godlike
Tourist
4 0 4

It gets me just half-way there. This is what I get from the docs:

 

If you want your users to see a specific page of your Shopify store, you can use the return_to field for that.

 

Multipass would cover the case when needing to carry the user from third-party website to Shopify store, but not the case when a customer from the Shopify store needs to login in the third-party website.

 

Can I create a store custom page

http://yourstore/login-thirdparty?token=TOKEN

 that performs a redirect to

https://thirdparty/login?token=TOKEN

?

adamDC
Shopify Partner
4 0 2

Hello! Same problem here! Did you figure it out?

godlike
Tourist
4 0 4

Sort of... From Website to Shopify the process is trivial thanks to multi-pass. From Shopify to Website it gets complicated as seems there's no way to carry session data.

 

What I found feasible was to provide magic link login at Website and use Shopify API to validate each login request at Website. The logic is simple: At Website enable users to login by indicating the email used at Shopify store, Website uses Shopify API to query it against the email provided. If the user is found you create/locate your local user at Website and send login link via email, need to bind website account to Shopify account id.

 

Key point is to avoid data sync, you don't want to rely on the email for account persistence neither to spawn another variable in your system.

adamDC
Shopify Partner
4 0 2

I really appreciate your insights! That is a smart approach, the magic link login and the Shopify API to validate the login requests! 

Additionally, to improve the security of the login process, would you could consider implementing multi-factor authentication? 

Overall, it's a solid solution! Thanks again @godlike 👍

godlike
Tourist
4 0 4

At your website link login should carry right after validating a login request, if you have MFA enabled after that state then your website should ask for the OTP(s).