Client credentials oauth flow from partner app not working

Authentication & Access
3

Hey @Symphiq_Integrations,

It looks like your understanding of the client credentials is correct. To my understanding, a Partner Org app authenticating to a prod store via client credentials can only be done if the user is a collaborator with a Developer role. See this comment for more info.

My approach uses the authentication grant flow(I used Typescript). Manual implementation Shopify.dev docs

  • Setup your app with custom distribution(Looks like you have done this). I don’t think it’ll make a difference, but I had the Allow multi-store install for Plus organization option selected
  • Paste the generated URL in the browser. It’ll redirect you to / in your non embedded app.
  • Verify the HMAC signature(recommended for security purposes)
  • Once verified, redirect to your auth flow endpoint(e.g. /auth).
  • Use the shopify-api auth.begin function to redirect the merchant to shopify. e.g.
    const callbackResponse = await api.auth.begin({
	isOnline: false,
	rawRequest: request,
	// This should be the same as the "Redirect URL" in your app setup in the Partner Dashboard
	callbackPath: '/auth/callback',
	shop: shop,
});
return callbackResponse;
  • callbackResponse from the previous step will redirect to /auth/callback in my app. This is where we will generate the OfflineSession Token. e.g.
    const callback = await api.auth.callback<Headers>({ rawRequest: request });
    • The offline session should resemble the following:
    {
  "session": {
    "id": "offline_<my_store>.myshopify.com",
    "shop": "<my_store>.myshopify.com",
    "scope": "read_orders,read_inventory,read_products,...",
    "state": "random generated state here",
    "isOnline": false,
    "accessToken": "shpca_<token>
  }
}
    • You will also need to setup a means of managing your tokens as they are not ephemeral. E.g. a database or datastore. Resinstalling your app will provide you the same token.
  • Your mileage may vary due to the language and tools available to you.

This approach while not ideal worked for me. I would recommend you first verify your role in the prod store in other to use the client credentials, as that seems the simplest approach.

Hope this helps :slightly_smiling_face:.