Embedded App OAuth redirect endless loop

Retired Boards Appdev Tools

Topic summary

Developers are encountering an endless OAuth redirect loop when implementing Shopify’s recommended App Bridge redirect script for embedded apps. The loop typically cycles 3-4 times before displaying an error: “The app couldn’t be loaded” with a same_site_cookies OAuth error parameter.

Common symptoms:

  • Error appears inconsistently across browsers (Chrome, Firefox, Chromium)
  • Occurs even when apps don’t use cookies
  • Happens particularly after multiple page refreshes within a short timeframe
  • X-Frame-Options ‘deny’ errors appear in console

Workarounds attempted:

  • Moving apps outside embedded Shopify admin (temporary solution)
  • Switching browsers (ineffective)

Solution identified:
The root cause is inconsistent access scopes between the app configuration in Shopify and the deployed server environment.

Fix steps:

  1. Run pnpm run shopify app info to check configured access scopes
  2. Verify these match the scopes defined in the production server’s .env file
  3. If different, update local config and push using pnpm run shopify app config push

Multiple developers confirmed this scope mismatch resolution successfully fixed their infinite redirect issues.

Summarized with AI on November 13. AI used: claude-sonnet-4-5-20250929.
1

Hi,

We have a working embedded app that can successfully go through OAuth flow and present our app embedded in Shopify Admin.

So far our app link has been pointing to our server OAuth EP to start and complete the flow. The one thing we never did is implement the recommended OAuth redirect script as explain here: App Bridge - Authenticate with OAuth . Meaning that our current OAuth process is not escaped from the iFrame and the OAuth scopes accept screen cannot be shown if required to.

We implemented the script as shown in the example using App Bridge Redirect. Now the OAuth process starts with the script.

The problem is: when trying to access our app on Shopify Admin, this results in an endless loop between Shopfiy and our App that ends with this error:

The app couldn’t be loaded

This app can’t load due to an issue with browser cookies. Try enabling cookies in your browser, switching to another browser , or contacting the developer to get support.

The URL shows: "https://shopOrigin/admin/apps?app_id=XXXXX&oauth_error=same_site_cookies "

Looking at Chrome console we can see:

  1. script is called and identifies its in an iframe - uses App Bridge Redirect to redirect to shop permission url
  2. permission EP calls our OAuth redirect callback successfully and token is exchanged
  3. after token exchange our OAuth callback redirects the client to our app root url
  4. our app root url initiates react-app-bridge provider (with forceRedirect===true)

Instead of landing in the embedded app’s landing page as expected the whole process is started again in a loop for 3-4 times until we receive the error above.

The thing is - our app doesn’t use cookies at all so I don’t understand the same_site_cookie error. Also, Chrome debug tools doesn’t indicate any Samesite cookie issues either.

4 Likes
2

I have the same issue. Custom application written in Python Flask. Works correctly in FireFox and Chromium, get the error in Google Chrome.

1 Like
3

Hi Guys,

did you ever get a solution to this? I have a similar issue, my app installs and authenticates fine, but if you refresh the browser 3-4 times in a row in a 1 minute window, on the last time I get this error

Refused to display ‘https://xxxx.myshopify.com/admin/apps?app_id=xxxx&oauth_error=same_site_cookies’ in a frame because it set ‘X-Frame-Options’ to ‘deny’.

1 Like
4

Never was able to work out why this isn’t working as expected.

As interim solution we took our admin app outside of the embedded Shopify admin pages - at least until they find a more robust method to integrate into admin and work around all the 3rd party cookie issues (again, our app doesn’t even use cookies).

1 Like
5

Facing exactly the same situation. Is there still no way around this?

1 Like
6

Facing this issue as well. Does anyone have a solution or documentation to point to? Simply switching to Firefox or another browser isn’t fixing this for us.

1 Like
7

Has anyone got this resolved? I’m currently experiencing this issue as well.

8

I’m having this issue in a very random way and only in a really few cases. But the same computer and the same Chrome browser sometimes work and sometimes don’t. So it’s quite difficult to find a specific cause. Suggestions appreciated.

1 Like
9

I’m having the exact same issue - with the app template the CLI installed, no less. It failed to load in the Admin UI out of the box.

1 Like
10

The “oauth_error=same_site_cookies” error can occur if the access scopes configured on the deployed server do not match the scopes defined for the app in in Shopify.

3 Likes
11

In my case, the problem of infinite OAuth redirects was caused by inconsistent access scopes.
Run the command pnpm run shopify app info and check the access scopes. It must be the same as access scopes defined on the production server in the .env file. If it is different you have to change the config locally and push it with pnpm run shopify app config push command.

1 Like
12

@michsko544 - Thank you. That was incredibly helpful and the appropriate fix for me as well. I really appreciate you posting your solution.