Issue with App Submission - Unexpected URL Redirect During OAuth Process

Hello Team,

We have encountered an issue during the app submission process.

When a user clicks Install App, our app correctly receives the OAuth callback URL and completes the Shopify OAuth authentication process. However, we recently received a notification stating:

“During an automated check, your app didn’t successfully initiate authentication when installing. The app responded with an unexpected URL.”

The details provided were:

• Expected URL:
  https://admin.shopify.com/store/uvszh1-m5/app/grant
• Actual URL:
  https://app.shiplogix.in/auth/login

From our understanding, the expected URL belongs to Shopify’s admin domain, and it is not under our control. Therefore, the redirection after installation should be handled by Shopify itself, not by our app.

Could you please clarify the correct flow and expected URL redirections during the installation and OAuth process? We want to ensure we follow the correct OAuth flow and comply with Shopify’s installation requirements.

To summarize our current process:

1. User clicks Install App on Shopify.
2. Shopify initiates OAuth and redirects to our app’s callback URL.
3. Our app receives the code and exchanges it for the access token.
4. After successful authentication, our app redirects the user to our own login page (https://app.shiplogix.in/auth/login).

Please confirm if this flow is correct, or if we should redirect the user back to the Shopify admin URL or another URL to pass the automated check.

Thank you for your support and guidance.

Hey @Varshika_Dadhich ,

Just looking over the requirements here, it mentions this after the merchant approves your scopes:

1. Your app must redirect merchants to the user interface (UI) after they accept permissions access on the OAuth grant page.

Is your app an embedded app? The reason I ask is there are additional requirements for that as well and redirecting to your login as opposed to the store admin could be the problem
https://shopify.dev/docs/apps/launch/app-requirements-checklist#a-embedding-into-the-shopify-admin

No we do not have an embedded app. It has a sapreate website on which user will redirect after installing the app in their store. The user journey is working fine but in app requirements it’s showing the expected url is different from the received url. please guide.

Have you implemented the app grant as explained here: Implement authorization code grant manually

Hey! Just checking to see if the app grant documentation helped here?

Thanks, Kyle. I really appreciate your help. This document was very helpful—I realized I had missed registering the install API in the App URL section of my Shopify app configuration.

Oh great! Glad I could help unblock you there. Best of luck through the rest of your review

Hello,

We’re also running into an issue here on the same automated check for our standalone app:

Expected URL: https://admin.shopify.com/store/uvszh1-m5/app/grant
Actual URL: {our_app_url}/shopify/begin?hmac=<hmac>&host=<host>&shop=uvszh1-m5.myshopify.com&timestamp=<timestamp>

I’ve already added this route to our App’s Settings > Build > Configuration > App URL:

{our_app_url}/shopify/begin

When installing our app though the Shopify Partners (i.e. click ‘Install app’ on the ‘Test app on development store’ page) everything works well:

1. User is routed to /shopify/begin
2. User is directed back to shopify to accept installation
3. User is routed to /shopify/callback
4. User is routed to another route within our app

Given that this all works properly as an actual user, at what step is the automated check getting stuck? The only thing I could think of is that instead of doing 3xx redirects, we do redirects via window.location.href = <redirect_url> because of some NextJS idiosyncracies

Hey Luke, are you building an embedded app?

The reason I ask is the issue may be the way you have implemented the redirect as it needs to escape the iframe. We have a guide on that here: https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/authorization-code-grant#check-for-and-escape-the-iframe-embedded-apps-only

Hey Kyle,

Thanks for the quick reply. We are not building an embedded app…

Thanks for clarifying that.

Taking another look at your URL, I can see that the Actual URL shown doesn’t align with the expected URL:

If you aren’t using a library, then do the following:

1. Build a URL using the following format and parameters:

https://{shop}.myshopify.com/admin/oauth/authorize?client_id={client_id}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}&grant_options[]={access_mode}

Since the URL returned contains HMAC, is it possible the verification Step 1 isn’t fully implemented?

The URL with format

https://{shop}.myshopify.com/admin/oauth/authorize?client_id={client_id}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}&grant_options[]={access_mode}

is where the user is redirected to after visiting /shopify/begin on our site.

To be specific, the frontend captures the query params on route /shopify/begin, then sends an HTTP request to our backend. The backend then does all of the verification steps and builds the redirect url (the one you sent) with the proper information filled in (most importantly, the shop, since the client_id, scope, redirect_uri, and access_mode are the same across shops). The backend sends this a 200 response with { redirectUrl: <redirect_url> } object as the response data. The frontend then takes this response data and sets window.location.href = <redirect_url>

Seems like this should be a GET request directly to our backend?

EDIT: yep, that was it