Infinite redirect loop after scope change

chrismgala · October 12, 2025, 4:01am

I added the write_payment_terms scope to my app TryOnify. After accepting the permissions on a store, the app started redirecting infinitely until Shopify Admin showed a popup with the following message:
”This app can’t load due to an issue with browser cookies. Try enabling cookies in your browser or switching to another browser.”

I did some digging in the shopify_app gem and found this PR which describes my issue exactly:

github.com/Shopify/shopify_app

Fixing embedded_redirect_url redirect loop

main ← fix_embedded_url_redirect_loop

opened 08:24PM - 01 Sep 22 UTC

paulomarg

+11 -6

### What this PR does There are some (quite) edge case scenarios where the `e…mbedded_redirect_url` config will trigger a 302 loop to itself, when reloading the app in the admin after a scope change, in production (or SSR) mode. To avoid that issue, we will simply not redirect in that scenario, so that the request is considered valid and reaches the backend - there is an assumption here that this page does not contain sensitive information and does not handle actual data, but _just_ blindly redirects. ### Reviewer's guide to testing 1. Create a ruby app with the CLI and follow the steps to run it in dev mode. Open the app to install it and kill the server, keeping the browser window open. 2. Run `npm run build --api-key=<apiKey>` 3. Run `ngrok http 3000` on a window 4. Run `cd web` in the app 5. Run `RAILS_SERVE_STATIC_FILES=1 SHOPIFY_API_KEY=<apiKey> SHOPIFY_API_SECRET=<apiSecret> SCOPES=write_products,read_orders HOST=<ngrokAddress> rails server -b 0.0.0.0 -e production -p 3000` 6. Refresh the admin page now that the scopes have changed. 1. With the current app, you'll see the iframe redirecting internally to login and borking 2. With this PR, it should break out of the iframe and show the grant screen ### Checklist Before submitting the PR, please consider if any of the following are needed: - [x] Update `CHANGELOG.md` if the changes would impact users

cc @Paulo_Margarido

chrismgala · October 14, 2025, 1:01am

Marking this as solved because I made a mistake in ripping out the config.scope in my shopify_app.rb in /config/initializers.

Someone correctly pointed out here that the scopes must match what’s on the server:
https://community.shopify.com/t/embedded-app-oauth-redirect-endless-loop/16766/10

Topic		Replies	Views
Shopify app authorization gets stuck in an infinite redirect Authentication & Access oauth	8	328	April 9, 2025
Refresh Offline Access Token Scope - Post Install Shopify CLI and Libraries remix	1	193	January 28, 2025
Keep getting redirected away from app Authentication & Access oauth	6	187	February 20, 2025
Embedded shopify app - refused to connect App Bridge app-bridge	4	235	April 22, 2025
How to update access scope for a live app on Shopify App store Shopify App Store app-store , dev-stores	5	103	May 13, 2025

Infinite redirect loop after scope change

Related topics