Unnecessary redirect with User authentication and JWT

[uurcank]

Many apps support multiple user accounts and to get a user token, Shopify app gem redirects the user to make another OAuth call. The auth cycle is run twice and sometimes more. This means every time a merchant opens an app, they get redirected twice and experience a few seconds delay. This makes the platform feel very slow and merchants uninstall apps because they believe they do not work.

This can be fixed. How?

Change Shopify API

Facebook's Graph API would be a good example. Facebook authenticates user first and then user makes an API call to get an offline token, say, for a Facebook Page. Same should be the case for Shopify. Authentication must be for a user, not a store. After authentication we should be able to make a call to an endpoint to get an offline token for a store. This is pretty much how Recurring Billing API works already. It returns a confirmation token after making a call.

Change Shopify's Oauth

Perhaps an easy fix could be implemented just changing the Shopify's Oauth. This requires two separate calls to obtain different tokens. Change Oauth code to return both tokens at once. User token can be served under "extra" params every time.

This has been issue that negatively impacts merchant experience.

JWT not required

For some reason, the Shopify team has prioritized alternative solutions such as JWT authentication. However, the issue was not with apps or cookies. The logic underlying the authentication process has been flawed.

Developers can develop apps however they want and still authenticate with cookies if the user does not get redirected multiple times in an iFrame. Storage Access API still makes cookie-based authentication possible. For some reason this new API was not understood well and entire Shopify ecosystem moving towards a JWT authentication, which is very opinionated.

So many apps are not embedded apps because authentication process is difficult to deal with. @tobi

[wnm]

Authentication and embedded apps have always had a lot of problems, and I agree, it hasn't been much better with JWT, but to be fair, the Storage Access API doesn't seem like a good option either with only about 25% of browsers supporting it?

[uurcank]

@wnm Let me clarify this. The major issue here is redirects. Shopify redirects the user twice to get a user token. Regardless of JWT or cookie sessions, every app that needs user token goes through this unnecessary loop. There is always a few seconds delay.

This faulty loop has caused all of the problems with cookie-based sessions. This gem's storage access API implementation was based on another redirect, whereas a javascript call was required. Instead of addressing the issue, JWT was introduced and storage access flow removed. But the problem is still there.

Regarding Storage Access API, all browsers support it. If a browser currently does not support it, it supports third-party cookies instead, so 100% of browsers currently provide a way for cookie sessions with third-party cookies.

https://caniuse.com/mdn-api_document_requeststorageaccess

For this reason cookie based sessions should not be discouraged in my opinion. Also again the core of the problem is the loop for user token in the oauth process.

[github-actions]

This issue is stale because it has been open for 60 days with no activity. It will be closed if no further action occurs in 14 days.

[github-actions]

We are closing this issue because it has been inactive for a few months.
This probably means that it is not reproducible or it has been fixed in a newer version.
If it’s an enhancement and hasn’t been taken on since it was submitted, then it seems other issues have taken priority.

If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines

Thank you!

[tarekrahme]

Is it related?
#1837

[uurcank]

@tarekrahme somewhat related, so far neither shopify_app gem or shopify omniauth returns any user information unless multiple redirects happen, which is odd.

[tarekrahme]

@uurcank I see what you mean
I personally (kind of) don't mind the redirects, but the issue for me is that after the 2/3 redirects I get an error message, and the app cannot be even opened (Error mentioning: too many redirects)

Any idea why would that be case? Thanks in advance!

[uurcank]

With the new jwt token authentication, the user ends up in the embedded app frame so you will need to escape the frame to restart authentication, which can be difficult.

Regarding too many redirects, it all depends on your code, so you need to debug and find a way to stop and return from the controller so it does not happen. Shopify_app gem has multiple redirects in place so your code should not conflict that or you can patch the gem to your needs.