Shopify APIs and SDKs

FYI I don't think "private apps" can be embedded, hence you hit a wall there. 

So I didn't build my app using Node and React and am generally relatively new to web development and also haven't yet submitted my app for approval, but hopefully I can help as I've been banging my head against the wall all week. In my experience, their install links within the UI (whether for a custom app for a merchant or to test in your own development store) simply don't work. Instead, you need to generate a permissionUrl that's constructed like this:

https://{shop}.myshopify.com/admin/oauth/authorize?client_id={api_key}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}&grant_options[]={access_mode}

My suspicion at what's happening is that install link goes straight to your app and whatever code is included in that example isn't properly routing you to generate the above permissionUrl. So instead, just manually create the above link for your development store and paste it into your browser, you should see the OAuth prompt and you can proceed (and redirect you using your redirecturi - at this point make sure you store the code and exchange for access token). 

Now you will ask - OK, so we can finally get this installed for a development store, but it's not like we're going to generate that link manually by getting each merchant's shopOrigin and email them the link each time, right? They provide this snippet here: https://shopify.dev/tools/app-bridge/getting-started in the 'Authenticate with OAuth' section - this will enable you to dynamically generate the permissionUrl. 

Which brings us to your other question (and one I was immensely confused on), how do we get and store shopOrigin? They have info here: https://shopify.dev/tutorials/get-and-store-the-shop-origin and appear to have a couple built-in libraries to assist with this if you're using Node.

In my case, my app was built simply using JS / HTML / CSS so I didn't use any of that. Let's say your app is ultimately hosted at {myshopifyapp}.myapphosting.com and this is where you point your Shopify app when you create your Shopify app listing. When your app is actually live in the Shopify app store and someone clicks "install," Shopify will automatically append ?shop={shopOrigin} to your URL - so your effective install url that you can use to test an actual installation process that a merchant goes through (I believe, and I hope) becomes {myshopifyapp}.myapphosting.com?shop={shopOrigin}. So this will help get you the shopOrigin of the logged in merchant for the purposes of generating your initial permissionUrl.

For returning merchants accessing your embedded app from within Shopify POS or embedded within Shopify Admin, in my experience, the queryString of every request will also have ?shop={shopOrigin} appended, along with hmac, session, and locale - so you can use window.location.search to get the query string, then parse the query string to grab shopOrigin each time (after validating hmac to confirm it's a valid request from Shopify). 

All that being said, this has resulted in me having to manually write annoying conditional logic that goes something like, when someone arrives at my app I check for the presence of the shop and hmac parameter and if that's present, then on the server side I validate hmac - if so, then I check for the presence of a valid API access token for them - if that's there, then welcome back to my app. I'm making an assumption here that if the hmac validation passes it's not a bad actor. If someone sees any issues with this, by all means please let me know. 

Lastly, I'll just add this here because if the above works for you, then eventually you'll hopefully get to the point where you'll want beta test your app with an actual merchant. You'll send your merchant your generalized install link {myshopifyapp}.myhosting.com?shop={their shopOrigin} that you've so meticulously created and tested your OAuth flow for and they'll be confronted with an error message during install that they can't install an unlisted, unapproved app (you've been testing this on your own development stores after all, who would have expected their experience would be any different?). So then you'll create another app within Shopify and mark it custom instead of public, and click "generate a custom install link" and send that to them, and that will just result in a broken app page after they click install and when you both check, your app still isn't installed. 

So the move here instead is to send them a manually constructed permissionUrl which includes the new client_id and their shopOrigin. If you try to do this BEFORE you generate the broken custom install link and specify which merchant your app is for, it also won't work. 

Good luck!

@yanfaingold, @simplymike, @satwik97 

I wrote up my solution, but this chat  disconnected me and had not autosaved, and I don't have time to write it up all again, but  @policenauts1  direction to use the following solved my issue.

When you arrive to the incongruity between the tutorial dashboard view that offers a view of screens for installing the tutorial app

and all you see is the  following screen

this is when @policenauts1 offering fixes the embed, ( at least it did for me)

https://xxx-xxx-xxx.myshopify.com.myshopify.com/admin/oauth/authorize?client_id=xxx-api-key-xxxx&scope=read_products&redirect_uri=https://O3y-current-domain-3cd34.ngrok.io/auth/callback&state=nonce&grant_options[]=access_mode

sticking that in the browser with 
1) ngrok running with a Session THAT HAD NOT EXPIRED ( apparently if ngrok session expires, it does not just shut down, and will appear as though it is running, but it will not have the needs ssl)

2) running  the Node/React/NextJS app as a true node service  and not as next app in dev mode using the webpack server.
    so change package.json from    "dev":"next"  to    "dev": "node server.js" 

and  zippy doo-daa, you should see the following view in you dashboard

clicking on the Sample Embed App should load your app in the dashboard.