We have an embedded app with existing users. We have to request an additional permission, and are following the procedure listed here; however, the X-Frame-Options: DENY header on the request_grant screen is causing an issue if the user is visiting the app within their Shopify store dashboard.
When the user selects the app, the start URL is hit, kicking off the OAuth sequence where we request the full set of grants (including a new one that existing users don’t have). That redirects to the /admin/oauth/authorize URL, which in turn redirects to /admin/oauth/request_grant.
The documentation talks about escaping from the iframe, but where is the opportunity to do that?
It also says:
Step 3: Ask for permission
Before an app can access any store data, the app needs to ask for permission. Your app asks for permission by redirecting the merchant to the grant screen where the merchant can choose to grant permissions to the app. Here is an example of what the merchant sees on the grant screen
But redirecting to the grant screen isn’t something I’m doing. As far as I can see following the requests in the browser, this happens by the /admin/oauth/authorize Shopify endpoint:
Location: https://my-test-shop.myshopify.com/admin/oauth/request_grant?access_change_uuid=01234567-abcd-efgg-b2c8-87163390757f&client_id=...
Is there something obvious I’m missing here?