Oauth review failing automatic checks, Please help

Hi everyone!
We’re trying to get our sales channel app approved but seem to be running into the following issues.

1. App must set security headers to protect against clickjacking.
   Your app does not request installation on the shop immediately after clicking “add app”. Apps must ask a shop for access when being installed on a shop for the first time, as well as when they are being reinstalled after having been removed. During install or reinstall we expected OAuth to be initiated at https://cambridgetestshop.myshopify.com/admin/oauth/request_grant but was redirected to https://app.o2omeet.com/connect/shopify?hmac=b98100af1b3d8b2aa86da9cd11b14f449cbf8d3d4b29081f257590f7c957af6d&shop=cambridgetestshop.myshopify.com&timestamp=1642995258. Learn more about authentication in our developer documentation
2. App must verify the authenticity of the request from Shopify.
   Your app does not request installation on the shop immediately after clicking “add app”. Apps must ask a shop for access when being installed on a shop for the first time, as well as when they are being reinstalled after having been removed. During install or reinstall we expected OAuth to be initiated at https://cambridgetestshop.myshopify.com/admin/oauth/request_grant but was redirected to https://app.o2omeet.com/connect/shopify?hmac=8c22a41296426a964b486d89b841fad4ddfe46f0d556c7828cb2c7da26062e1b&shop=cambridgetestshop.myshopify.com&timestamp=1642995207. Learn more a

For reference, please check the flows for installing:
App installed on Shopify:

• User will be able to complete the OAuth process by clicking on install app (We test this with “Test on development store” link)
• If user is not logged in they will need to log into their account and make sure an organization is created before connecting Shopify.
• User will be redirected to https://app.o2omeet.com/connect/shopify where they can initiate the OAuth flow and grant permissions.
• To my understanding this occurs in the embedded portion of the app on the Shopify dashboard.

App installation initiated from within our app

• A user will initiate the integration on the integrations tab and enter their shop domain.
• We will redirect the user to grant permissions and install the app on the Shopify dashboard.
• The user will be redirected back to the OAuth call back and the integration is complete.

All request HMAC and state parameters are verified on our backends, the embedded app links are configured and developer contact data is set up.

Please let us know what we can do to get this approved or if we’re missing certain steps in the OAuth flow.

I am also looking for the solution

Neither they have well structured documentation nor they have good community support. My frustration level is up after I’ve started developing shopify apps.

I know right! I’ve messaged them privately and publicly multiple times and they literally don’t reply. This is not something trivial, I’m honestly asking them why they’re automatic checks are failing when i’ve implemented things exactly based on their documentaion.

Did you get any reply or resolution to this?

Nah no response at all.

Hi Shehan,

The message you received outlines the issue quite explicitly:

During install or reinstall we expected OAuth to be initiated at https://cambridgetestshop.myshopify.com/admin/oauth/request_grant but was redirected to https://app.o2omeet.com/connect/shopify…

The first thing your app needs to do when it’s installed is take the merchant to the OAuth URL mentioned here, which is the format of: https://[shop].myshopify.com/admin/oauth/request_grant

Instead, your app is going to your own custom “/connect/shopify…” URL.

This is a requirement for Shopify apps - you’re not allowed to take them to your own landing page to create an account first. They first need to authorise your app, then you can redirect them elsewhere.

Double check the OAuth docs for more information about requesting the necessary scopes if you haven’t already, and make sure it is the first thing that happens after install.

Hope this helps.

Hi JayAdra,

Thank you for getting back to me.

I’m a bit confused since the Shopify docs say redirect to admin/oauth/authorize and I can’t find any mention of /admin/oauth/request_grant in the link that you shared.

Should i redirect the user from Shopify (after requesting installation) back to Shopify with scopes at admin/oauth/authorize so that they can approve the permissions and handle account creation and set up during the call back?

Hi Shehan,

Apologies - yes you do want to redirect to /admin/oauth/authorize. Shopify will then redirect them to /admin/oauth/request_grant and show the OAuth screen. The URL we build in our auth process looks like this:

const oauthUrl = `https://${config.shop}/admin/oauth/authorize` +
                `?client_id=${config.data.SHOPIFY_API_KEY}` +
                `&scope=${config.data.SHOPIFY_OAUTH_SCOPES}` +
                `&redirect_uri=${config.data.SHOPIFY_CALLBACK_URL}`;

Their rejection message is a bit confusing in this regards.

Okay great. I’ve implemented this change on our system and submitted a review of the app.

Greatly appreciate your help. Will come back to this thread with the results.

Good luck! Hope it gets approved!

We are facing similar issues , kindly help as there is no proper documentation of what has changed in recent times. We have already published 3-4 apps with similar code base, now it is rejecting our new app.Also there is no reply from shopify end except rejecting the apps.

Is there any change please tell ? this is our structure

Basically is app is not installed it will redirect to auth which will redirect to /admin/oauth/request_grant and then ask for oauth permission. This is the entire flow please help

router.get("(.*)", async (ctx) => {
    const shop = ctx.query.shop;

    const currShop = await ActiveShops.getShop(shop);
    if (currShop) {
      await handleRequest(ctx);
    } else {
      // This shop hasn't been seen yet, go through OAuth to create a session
      ctx.redirect(`/auth?shop=${shop}`);
      // ctx.redirect("admin/oauth/authorize");
    }
  });

Still facing this issue, anyone with a different work around? Wish the docs had detailed steps about this..