Requesting additional grants

Retired Boards Appdev Tools

Topic summary

Issue: An embedded Shopify app needs to request an additional OAuth permission for existing users. When launched from the Shopify admin, the OAuth flow redirects to /admin/oauth/authorize and then to /admin/oauth/request_grant, but the grant screen sends X-Frame-Options: DENY, which blocks rendering inside the embedded iframe.

Context: The developer is following Shopify’s “change granted scopes” procedure (step 8). Documentation mentions “escaping the iframe” and having the app redirect the merchant to the grant screen, but in practice the redirect to the grant screen is performed by Shopify’s /authorize endpoint, not by the app.

Problem: The developer doesn’t see where in the flow they can trigger a top-level redirect (“escape the iframe”) before the request_grant screen appears. They observe Shopify returning a Location header directly to /admin/oauth/request_grant with an access_change_uuid and client_id.

Status: Unresolved. The developer is asking what they might be missing in implementing the required top-level navigation to the grant screen given the DENY header and Shopify-managed redirects. Technical notes: X-Frame-Options: DENY prevents pages from loading in iframes; “embedded app” runs inside Shopify admin; “grant screen” is where merchants approve scopes.

Summarized with AI on February 2. AI used: gpt-5.
1

We have an embedded app with existing users. We have to request an additional permission, and are following the procedure listed here; however, the X-Frame-Options: DENY header on the request_grant screen is causing an issue if the user is visiting the app within their Shopify store dashboard.

When the user selects the app, the start URL is hit, kicking off the OAuth sequence where we request the full set of grants (including a new one that existing users don’t have). That redirects to the /admin/oauth/authorize URL, which in turn redirects to /admin/oauth/request_grant.

The documentation talks about escaping from the iframe, but where is the opportunity to do that?

It also says:

Step 3: Ask for permission

Before an app can access any store data, the app needs to ask for permission. Your app asks for permission by redirecting the merchant to the grant screen where the merchant can choose to grant permissions to the app. Here is an example of what the merchant sees on the grant screen

But redirecting to the grant screen isn’t something I’m doing. As far as I can see following the requests in the browser, this happens by the /admin/oauth/authorize Shopify endpoint:

Location: https://my-test-shop.myshopify.com/admin/oauth/request_grant?access_change_uuid=01234567-abcd-efgg-b2c8-87163390757f&client_id=...

Is there something obvious I’m missing here?