@hannachen should we expect a patch from Shopify around this in koa-auth? This issue is clearly reproducible in Safari 13.1 because it blocks third party cookies by default.
This is quite an urgent issue as a lot of visitors are using the latest version of Safari. We can replicate the Redirect Loop issue caused by Koa-Auth-Shopify in multiple stores and for multiple Apps. The code of the issue seems to be the Third-Party-Cookies being blocked by default in Safari 13.1.
Shopify, we’re getting multiple reports per day (and growing) of this issue and this is highly impactful. Could you please advise on a temporary fix until the module gets updated?
We’re working on a fix! I’ll post when we have an updated version of the library out for you to try. Thanks for reporting this!
2 Likes
We released v3.1.61 of koa-shopify-auth this afternoon that should fix issues with Safari 13.1: https://www.npmjs.com/package/@shopify/koa-shopify-auth/v/3.1.61
Please give it a try and let us know if it works for you!
2 Likes
I just tested “v3.1.61” of “koa-shopify-auth” on Safari 13.1 it did fix cookie redirect issue! Thanks a ton for releasing patch quickly. Much appreciated 
I’m seeing following prompt every time I’m trying to open my app on Safari 13.1 though, is that a new normal?
1 Like
Thank you Michael for the update.
We’ll test it soon.
Glad it’s working for you!
Yes, that’s the new normal (for the moment). But we’re working on something better https://twitter.com/jmwind/status/1256249454430224386
1 Like
Niiice!
I thought it was strange that cookies (and redirects) were needed at all. It seemed like just adding a definable parameter at the install URL would be enough to get rid of them.
I think I also read about iframe-less apps - I can’t wait to read about the details of that magic
We’ve upgraded to v3.1.61 and now in the initial authentication process we get the following error:
Request origin could not be verified
It happens in all browsers.
Only in the second attempt to authenticate, it works well.
Any ideas?
Hi artva,
Were you able to reproduce this error with the example app in the repo? That’s a good way to know whether it’s an issue with the library or with the configuration. https://github.com/Shopify/quilt/tree/master/packages/koa-shopify-auth#example-app
I’d also recommend you create a new thread for this issue so that it gets more visibility.
-Mike
Regarding https://twitter.com/jmwind/status/1256249454430224386, can we get a rough idea of how this will work and when it would be released?
Will it be only for App Bridge or also available for the EASDK?
Given the recurring cookies issues with customers, we are considering rewriting our authentication mechanism to be cookie less, but it would be a shame if we did the work and shortly after the new solution was released…
Hi! We’ll be sharing more details soon! You can expect it to be available for all partners this summer.
It will only be available for App Bridge, so now’s a good time to upgrade to App Bridge if you’re still on EASDK.
Thanks!
-Mike
Thanks @Michael_Ragalie
Regarding summer, is that the timeframe for production or beta?
I understand that you might not be able to share more yet, but I was hoping you could just share the type of embedding technique that you will be using, as it can have an impact on the authentication design we might choose.
For example, is it based on a link tag like , or some other mechanism?
Also, will apps be loaded in a ‘first-party’ context, as opposed to iFrame which create a ‘third-party’ context.
Hi! That’s the timeline for production.
The gist is that Shopify issues a JWT to the app frontend via App Bridge, you include that JWT in the Authentication header of your requests to your app backend, and then your app backend can verify the JWT signature and know which shop/user the request is on behalf of.
We’ll share more details soon! Thanks!
Apps will still be loaded in a third-party context.
Thanks I’m looking forward to experimenting with the beta.
Safari users in particular are running into a lot of third party cookie issues.
Still within an iFrame right?
Hello,
Our customers still run into this issue, even after the upgrade to the version 3.1.65 of shopify/koa-shopify-auth
What can we do as a temporary solution?
Hi Victor, it can be hard to diagnose issues with the cookie-based auth flow. If you’re running into problems, I’d recommend you try out the new cookieless option and see if it resolves some of the issues: https://shopify.dev/tools/app-bridge/authentication