OAuth flow trims redirect_uri and state when merchant is not logged in

Authentication & Access
,
1

Hi everyone,
I’m facing an issue with the Shopify OAuth flow where the redirect_uri (and sometimes state) gets dropped only when the merchant is not already logged in to Shopify.

Issue Summary

When initiating OAuth, my app redirects the merchant to Shopify’s authorization URL.
If the merchant is already logged in, everything works correctly.
But if the merchant is logged out, Shopify redirects them to the admin login page, and after login, the OAuth URL becomes incomplete, missing required parameters(specifically the redirect_uri) — causing the error **“redirect_url is missing.”
**
Loom Video

URL found after logging in using OAuth (If user is not already logged in).
We can see that the redirect_uri has been trimmed by shopify

http://admin.shopify.com/admin/oauth/authorize?client_id=9f3af604802901c28e38bf4926591f54&scope=read_orders,write_orders,read_fulfillments,write_fulfillments,read_products,write_products,read_inventory,write_inventory,read_price_rules,write_price_rules,read_gift_cards,write_gift_cards,read_locations,read_draft_orders,write_discounts,read_discounts,read_customers,read_script_tags,write_script_tags,read_product_listings,read_collection_listings,read_assigned_fulfillment_orders,write_assigned_fulfillment_orders,read_merchant_managed_fulfillment_orders,write_merchant_managed_fulfillment_orders,read_third_party_fulfillment_orders,write_third_party_fulfillment_order

URL found after logging in(If user is already logged in to Shopify)
There is no such trimming that is happening

http://admin.shopify.com/admin/oauth/authorize?client_id=9f3af604802901c28e38bf4926591f54&scope=read_orders,write_orders,read_fulfillments,write_fulfillments,read_products,write_products,read_inventory,write_inventory,read_price_rules,write_price_rules,read_gift_cards,write_gift_cards,read_locations,read_draft_orders,write_discounts,read_discounts,read_customers,read_script_tags,write_script_tags,read_product_listings,read_collection_listings,read_assigned_fulfillment_orders,write_assigned_fulfillment_orders,read_merchant_managed_fulfillment_orders,write_merchant_managed_fulfillment_orders,read_third_party_fulfillment_orders,write_third_party_fulfillment_orders,read_order_edits,write_order_edits&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRJZCI6ImF1dG9tYXRpb251aSIsImNvbm5lY3RlZEx5bmtJZCI6IjY5MWI3Y2E4YmVmYTY1YTQ3NWFjYWNiYiIsImlhdCI6MTc2MzQwOTA2NH0.1xNiJKRmAksETI04593hdlBrwGKFRGXgB_0O0zlgZJk&redirect_uri=https://www.google.com

Here the redirection to google happens properly as the url does not get trimmed by shopify in case the user is already logged in.

2

Hi @Uday_Menon

There’s a couple things we can check here:

  • Always URL-encode all OAuth parameters, especially redirect_uri and state.
  • Ensure the redirect_uri exactly matches the one whitelisted in your app settings.
  • Use the recommended OAuth 2.0 flow, including PKCE if possible.
  • Store state and code_verifier securely server-side to validate after redirect.
  • Test with a simple, static redirect_uri to rule out URL complexity issues.
  • Check for browser extensions or privacy settings that might strip parameters.
  • If your app is embedded, use Shopify’s App Bridge or SDK for OAuth.
  • If the problem persists, it may be a Shopify platform bug. Please contact Shopify support with detailed logs and reproduction steps.