Is "Shopify managed installation" ready for production?

boronine · April 18, 2024, 12:11pm

We’re testing “Shopify managed installation” [1] for our app.

This method appears to be recommended by the documentation, but we found two serious problems with it which makes us wonder if it’s ready for production.

If you enable this method (by providing a list of scopes in your shopify.app.toml via Shopify CLI), you will lose the ability to request scopes from a single merchant. We tested this by formatting an authorization code grant [2] with an extra scope not specified in the config file. When we received a callback and exchanged the code parameter for an access token [3], the requested scope seems to have been ignored in favour of the scopes provided in shopify.app.toml. We are not sure if this is a bug or intended behavior, but this is a regression in functionality.
When you add a new scope to shopify.app.toml, Shopify will force all users to upgrade in an unacceptably aggressive manner. There is no way to provide an explanation for why new scopes are requested and no way to opt out of the upgrade. If the user press “Cancel” on the upgrade screen, they will not be able to load the app at all, not even to simply access their own information.

Is anyone using this “Shopify managed installation” in production? Is there a way to overcome these problems? Is it just a half-baked feature or is intended for a different type of app?

[1] https://shopify.dev/docs/apps/auth/installation

[2] https://shopify.dev/docs/apps/auth/get-access-tokens/authorization-code-grant/getting-started#step-2-request-authorization-code

[3] https://shopify.dev/docs/apps/auth/get-access-tokens/authorization-code-grant/getting-started#step-4-get-an-access-token

kyle_sierens · May 31, 2024, 2:49am

We’ve experienced the same thing, we’ve had merchants trying to load our app with success but the but no webhooks are being sent afterwards causing the app to have no record on our DB. This was happening because the Shopify Managed installation was failing at the “scopes stage” and no handling the error or providing feedback. Changing the use_legacy_install_flow = true under the [access_scopes] in the toml file and things started working again.

jam_chan · September 11, 2024, 10:22am

The same here. I find the process unclear. When I read managed app installation, it says that:

Apps no longer need to implement authorization code grant for installation or access scope changes.

However, when I test app on development store in the partner portal, it sends me a get request as mentioned in the authorization code grant - step 1 verify the installation request.

Then, do I have to implement the logic again? Or how can I test my app on a dev store?

Topic		Replies	Views
We use Enable Shopify-managed installations for your app until redirect outsite app Authentication troubleshooting	2	87	September 15, 2024
How does app installation work in production with OAuth2.0? Technical Q&A sales-channels	3	564	April 18, 2024
Oauth error failed_grant_with_invalid_scopes: The application could not be installed due to invalid Authentication troubleshooting , Setting-Up	3	115	April 23, 2024
Can I add more scopes to an already installed app? Shopify Apps	3	230	August 29, 2024
Having troubles with an app after updating scopes Shopify Apps third-party-apps	1	88	March 21, 2024

Is "Shopify managed installation" ready for production?

Related topics