Can we override a merchant's app scopes when managed scopes is enabled?

I have access to read orders 60+ days from Shopify but I don’t want to force everyone to be installing the app with these app scope, when we only need it for a few specific stores. Has anyone found a way to override the managed scopes offered by Shopify to have a “guaranteed” set of scopes per merchant but add unique ones as well per merchant?

I saw a presentation at the Shopify Event in Toronto where there was a demo of someone getting prompted to accept new scopes depending on the internal Shopify app page they landed on, but I couldn’t find this in the help docs.

@keiraarts Short answer is not yet, however, we are actively working on this capability whereby you can use declarative scopes but then over-ride on a per shop basis. Stay tuned!

6 Likes

On the topic of scopes @eytan-shopify - we have over 1000 merchants and 100+ Plus stores using our app.

Every time Shopify releases new scopes (e.g. upcoming fulfillment orders updates), we have to get every single merchant to update their scopes in their app.

It also blocks us from being able to jump into their app until a store owner or someone with similar permissions updates the app scopes on their end. This makes support and troubleshooting incredibly difficult (i.e. when we need to jump into the app and investigate an issue/change a setting for them).

Is there a world where an app can still remain functional without the scopes update?

Maybe a big red banner instead of blocking the app altogether?

Or could an app developer choose if the app should remain functional or not? Would be great for us to be able to choose if a scope update is critical (app blocking) or not :pray:

@keiraarts in case you missed it we released optional scopes. Take a look and let us know what you think!

2 Likes

@paulygoldston Yeah, we are aware of this issue and something that is coming up quite a bit as folks move from REST to GraphQL. We are thinking about this problem space but don’t have anything to share yet as to how we might improve it.

2 Likes

Thanks so much @eytan-shopify. Really glad to hear you already thinking about the problem space. I know Shopify will come up with an elegant solution in the future.

I feel like a greedy kid at Christmas asking for more after the Editions Shopify just dropped :grimacing:

Thanks for all of the hard work from Shopify. Just keeps getting better and better!!

We’ll take a look at Optional Scopes too! :pray:

1 Like

Appreciate you soooooooo much. Thank you.

I’m pushing this to production but found this odd error.

Context: Our app has approval from Shopify to read all orders.

Version couldn’t be created. │
│ │
│ app-access │
│ │
│ Validation errors │
│ • optional_scopes: ‘read_all_orders’ requires ‘read/write_orders’ scope

[access_scopes]

Learn more at App configuration

scopes = “read_assigned_fulfillment_orders,read_checkout_branding_settings,read_customer_events,read_customers,read_discounts,read_fulfillments,read_inventory,read_locations,read_markets,read_merchant_managed_fulfillment_orders,read_order_edits,read_orders,read_payment_customizations,read_products,read_store_credit_accounts,read_themes,unauthenticated_read_checkouts,unauthenticated_read_content,unauthenticated_read_customer_tags,unauthenticated_read_customers,unauthenticated_read_metaobjects,unauthenticated_read_product_inventory,unauthenticated_read_product_listings,unauthenticated_read_product_pickup_locations,unauthenticated_read_product_tags,unauthenticated_read_selling_plans,unauthenticated_write_checkouts,unauthenticated_write_customers,write_assigned_fulfillment_orders,write_cart_transforms,write_checkout_branding_settings,write_customers,write_draft_orders,write_markets,write_merchant_managed_fulfillment_orders,write_online_store_navigation,write_order_edits,write_orders,write_payment_customizations,write_pixels,write_products,write_shipping,write_store_credit_account_transactions,write_third_party_fulfillment_orders,customer_read_customers,customer_write_customers,customer_read_orders,customer_read_markets,unauthenticated_read_product_pickup_locations,read_translations,read_locales,write_locales,read_metaobject_definitions,write_metaobject_definitions,unauthenticated_read_selling_plans,write_metaobjects,read_metaobjects”
optional_scopes = [
“read_all_orders”,
“read_purchase_options”,
“write_purchase_options”,
“write_discounts”,
“write_files”
]

Putting read_all_orders as an optional scope seems to cause an error, so I’d put read_orders in the optional scopes too but it throws a separate error about not duplicating my scopes.

Would optional scopes work with read_all_orders?

@keiraarts , did you apply for read_all_orders access through the Shopify Partner dashboard?

You’ll have to open a ticket to get approval from Shopify to even prompt for that access scope.

1 Like

Yes! I double-checked and partners has granted me the app scope for read_all_orders. I can apply it for all merchants, but I can’t apply it as an optional scope.

@keiraarts thanks for letting us know about this issue with read_all_orders. We’re looking into it now.

1 Like

@keiraarts Thank you again for letting us know about this issue. We are preparing a fix for this, and will report back here when the fix is ready.

In the meantime, for anyone seeking to avoid this issue, we have two different temporary workarounds:

Temporary workarounds

1. Declare both read_orders and read_all_orders as optional_scopes:

scopes = ""
optional_scopes = ["read_orders", "read_all_orders"]

You reported trying this, but my guess is that you may have had read_orders in both scopes and optional_scopes — or possibly write_orders in scopes, and tried adding read_orders in optional_scopes (since “write_orders” is required, the “read_orders” scope is implied as also being required). So maybe instead for your case you’d have optional_scopes = ["write_orders", "read_all_orders"].

2. Put both read_orders and read_all_orders in required scopes:

scopes = "read_orders, read_all_orders"
optional_scopes = []

Or, for your specific scenario where it appears you want write_orders, you’d declare scopes = "write_orders, read_all_orders".

If not previously declared, any added scopes to scopes will prompt merchants upon the next open of the app, if it is an embedded app (Shopify managed installation).

An upside to this approach is that, after the fix is ready, you should be able to move read_all_orders to optional_scopes seamlessly; merchants that already granted access to it will continue to have granted access to the read_all_orders scope after your app configures it as optional.

Neither of these temporary workarounds are perfect, but we wanted to make sure you & other folks are not totally blocked on this. Thank you for investigating declarative & optional scopes. We will report back when the fix is ready.

1 Like

Thank you for looking into this Kyle!

Unfortunately both of these solutions is a high-risk to existing merchants using the app. I will be keenly awaiting the solution for read_all_orders to be optional only!

2 Likes

Just following up if there is any new solutions available by other merchants about this issue, merchants are asking us frequently for it.

Hey @Kyle-Shopify :wave: Just wanted to check in and see if there was any further traction or ETA on this one per chance? We had another merchant raise this today.

Our use case is that we offer downloads for merchants and many customers ask for these invoices well after 60 days (close to tax time etc).

Thanks in advance!