Hi! I’ve been having a hard time trying to come up with a solution for the auth problem, so maybe someone can offer a piece of advice or direction.
So, we have a Django web service with our customers. We use multipass and authenticate the customers to shopify, they make their purchases on shopify, then we get webhook, process data on our side etc. Our customers used shopify storefront and we didn’t need them to be authenticated in our Django app so far. But now we are adding new features, so when the user logs in, they should be able to make authorised calls to both shopify storefront api AND our django api. The issue here is how to do that? These sessions should be “synchronised”, meaning that they should expire at the same time.
Initially, we we thought we could use our service as IdP and shopify as a client, but from what I see, shopify doesn’t offer that option.
The situation you’re describing is a common challenge for devs integrating multiple systems that each have their own authentication mechanisms. Here’s a potential approach you could explore:
Django as the Central Authentication Service (CAS):
When a user logs into your Django app, generate a unique token (JWT or similar) that contains user information and an expiration time.
Store this token in a secure cookie or local storage on the client side.
When the user accesses Shopify via Multipass, include this token in the Multipass payload.
When the user makes a call to your Django API, they should send this token as a Bearer token in the Authorization header.
Synchronize Session Expiry:
Set the expiration time of the token to be the same as the session duration you want.
When validating the token on your Django side, check the expiration time. If it’s expired, the user needs to re-authenticate.
For Shopify, you can’t directly control the session duration. However, you can implement a mechanism where, if the token is expired on your Django side, you force a logout from Shopify or prompt the user to re-authenticate.
3. Handling API Calls:
For Shopify Storefront API: Use the user’s token to make calls to the Storefront API. The Storefront API doesn’t require user authentication, so you can use an access token associated with your app.
For Django API: When the user makes a call to your Django API, validate the token. If it’s valid, process the request. If not, return an authentication error.
4. Handling Logout:
When a user logs out from your Django app, clear the token from the client side.
You can’t force a logout from Shopify, but since the token is cleared, the user won’t be able to access your Django API without re-authenticating.
5. Handling Token Renewal:
If you want to implement token renewal (to extend sessions), you can do so on the Django side. When the token is nearing expiration, renew it and update the client side.
Some things to keep in mind with this approach are that Shopify doesn’t allow you to control user sessions directly. So, while you can synchronize the expiration of your Django token with the expected session duration on Shopify, you can’t guarantee they’ll always be perfectly synchronized. Also if a user logs out of Shopify directly, they’ll still have a valid token for your Django app unless they also log out from there.
Hi Liam! Thank you so much for your detailed answer, it really helped! I agree that it must be a common challenge, but I wasn’t able to find any tested solutions. If I can make a small suggestion, it would be great to include more information about it in documentation.
I think we are gonna try that approach and see how it works. Thanks again, and have a great day.