We’ve been struggling for some time to get our app approved but somehow we seem to get rejected and we’re returned the same error:
1. App must install successfully.
Your app does not request installation on the shop immediately after clicking “add app”. Apps must ask a shop for access when being installed on a shop for the first time, as well as when they are being reinstalled after having been removed. During install or reinstall we expected Oauth to be initiated at https://appstoretest5.myshopify.com/admin/oauth/request_grant but was redirected to https://XXX/shopify/install [i added XXX instead of our domain to prevent attacks]. Learn more about authentication in our developer documentation
Our workflow right now is the following:
Customer clicks add on the app and is redirected to the install page
The install endpoint detects that the customer doesn’t exists in the database and redirects to admin/oauth/request_grant
The customer is prompted in shopify with the app details - access information, etc.
The customer clicks install and is redirected to the redirect_url (authorize endpoint) specified in request_grant parameters
We request the permanent access token via oauth/access_token and save it to the database
Customer is redirected to the install page where he is asked for his Consignor credentials. (Needed for API access)
I do too, still trying to figure out the problem. It seems like there wasn’t an official solution provided by Shopify support, I looked everywhere but couldn’t find one.
Your install logic sounds a lot like mine and I’m preparing to submit my app, so that makes me nervous. But instead of admin/oauth/request_grant have you tried creating a the permissionUrl with the format below:
OK, I have more info on this after my app got rejected. I had been making a faulty assumption that when someone clicks “install” from the app page, then Shopify only appends the shop parameter i.e., myappname.myhosting.com?shop={shopOrigin} and I had built my install logic around that. However, they also append hmac and timestamp.
So essentially, you need to make it so that when someone hits your app URL and those 3 parameters are appended, they will reach the OAuth page where you generate the permissionUrl. They simulate this if you try to install on your development store using the install link there. So if it works there, we should (hopefully) be good.
Please help me, I am facing same issue again and again
Requirements that must be met before initial screening
App must install successfully.
Your app does not request installation on the shop immediately after clicking “add app”. Apps must ask a shop for access when being installed on a shop for the first time, as well as when they are being reinstalled after having been removed. During install or reinstall we expected Oauth to be initiated at https://appstoretest5.myshopify.com/admin/oauth/request_grant but was redirected to https://app.glorifyapp.com/shareapi/api/shopify/.
It looks like it’s never reaching your install URL and instead directing straight to the app. What happens when you click on “test on development store” and then try to install on one of your development stores? From my experience, if you achieve successful OAuth flow there you will make it through this stage of review.
Also, are you hard-coding your own store name as the shop URL?
Please uninstall your app from that store and then go to partners.shopify.com, clicks Apps, then click on your app name, then click Test your app (select your development store) and then “Install.” What happens when you do that?
You also may get rejected for not implementing the Billing API. I suggest using the GraphQL instead of REST API version.
This is not how you do it. You need to pick up shopOrigin dynamically (Shopify’s guidance here is super thin, unless you’re using one of their libraries).
When a merchant comes to install your app from the public app store OR from the “install on your development store” link, Shopify will append shop, hmac and timestamp url parameters. So when someone clicks “install” they are routed to glorifyapp.com/productshopify?shop={shop}&hmac={hmac}×tamp={timestamp}
In my case I’m using Javascript so I just do URLParams to get the shopOrigin to generate the dynamic permissionUrl
In general, you need to write your own logic to determine if a user has already installed your app and has a valid accessToken and charge_id. If so, you can welcome them back to your app; if not, then you generate the permissionUrl so they can install your app.
So as I stated, you need to follow the instructions in my previous message where you actually click “install” from the “test on your development store” and see what happens - this is the same way Shopify is testing your OAuth flow.
