I’m currently testing Shopify’s OIDC functionality, with Salesforce as the identity provider (IdP) and Shopify as the service provider (SP).
The flow proceeds as expected up to the authorization step:
Shopify successfully call the Salesforce authorization endpoint, the end user logs in and grants access, and Salesforce then redirects back to the specified callback URL with the code and state parameters.
However, Shopify responds with a 401 Unauthorized error at this point, and the logs contain the message:
Something went wrong: Access token request error
This seems misleading, since (to my understanding) shopify should not be requesting an access token at this callback stage—only the authorization code is involved here.
I’ve double-checked the configurations on both the IdP and SP sides, and everything appears to be in order. Btw, I’ve reached out to support, but did not receive any useful information.
Has anyone encountered a similar issue, or could suggest what might be causing this unauthorized response?
Thanks in advance for your help!
Request
GET
https://{mydomain}.my.salesforce.com/services/oauth2/authorize?scope=openid+email&client_id={clientId}&response_type=code&redirect_uri=https://shopify.com/authentication/{mystore}/login/external/callback&state=01JXVAWTN32D9ZS8X9YCC48SBB&nonce=57826e03-ca27-45d3-9649-6697db6d4ece&prompt
→ Response 302 Found
Request
GET
https://shopify.com/authentication/{mystore}/login/external/callback?code={HereIsACode}&state=01JXVAWTN32D9ZS8X9YCC48SBB
Hey @Eason_Sun I believe the “Access token request error” message there is actually accurate.
After receiving an authorization code, Shopify will then attempt to go back to your Salesforce server exchange it for an access token with Salesforce’s token endpoint (a bit more info here). This does seem to be the correct behaviour from what I can tell.
The most common causes for this error are generally mismatched client credentials (client_id/client_secret) between what’s configured in Shopify and Salesforce, redirect URI mismatches (even small differences like trailing slashes can cause this), or expired/invalid authorization codes since they’re typically single-use and expire within minutes.
If you have access to them, I’d recommend checking your Salesforce’s OAuth logs for more specific error details and testing the token exchange manually using cURL to isolate whether the issue is with Shopify’s request or Salesforce’s configuration.
I’m not super familiar with Salesforce, but once thing that might help would be to verify if switching on PKCE (Proof Key for Code Exchange) might help resolve things, as this is a common reason for auth failures. I did a little bit of digging and it looks like this might be something you can set up via Salesforce directly (I saw it as a checkbox selection in your screenshots there too): Help And Training Community
If that doesn’t resolve the issue, I think reaching out to Salesforce may be the best bet since from what I can tell that 401 message is coming from their side after we send out the token request.
Hope this helps a bit - let me know if I can clarify anything on my end here.
Hi @TonyKukoc , unfortunately, we are still facing the issue. We log a case to Shopify support and are waiting for the response.
But we do have some further update:
We wrote an Apex REST class with a doGet function and customized the authorize endpoint, token endpoint, and userInfo endpoint in the discovery document. The purpose was to capture debug logs and monitor how Shopify sends requests to Salesforce.
We observed that Shopify did call the authorize endpoint and made a POST request to the token endpoint, but it did not make a request to the userInfo endpoint. We suspect that an error occurred on Shopify’s side while verifying the Id_token. Therefore, we contacted Shopify support to ask whether they could check the error logs on their end.
If there are any updates from support, I will update in this thread~~