Oauth forgets redirect_uri, if user is logged out

Hi, i have a problem with the oauth flow. If i start the oauth flow for installing an app, while i am logged out of shopify and send a scope, i get the error: Oauth error invalid_request: The redirect_uri is missing

In more detail:
I implemented the oauth flow using a PHP package ( GitHub - Shopify/shopify-api-php ). If i try to start the oauth flow with this package, i get an url, like the following:
https://{shop}.myshopify.com/admin/oauth/authorize?client_id={clientId}&scope=write_third_party_fulfillment_orders,write_assigned_fulfillment_orders,write_merchant_managed_fulfillment_orders,read_content,read_online_store_pages,write_customers,write_delivery_customizations,write_discounts,write_draft_orders,read_files,write_fulfillments,write_gift_cards,read_inventory,read_legal_policies,read_locales,read_locations,read_markets,read_marketing_events,read_metaobject_definitions,read_metaobjects,read_order_edits,write_orders,read_payment_terms,read_price_rules,read_privacy_settings,read_products,read_purchase_options,write_returns,read_shipping,read_themes,read_translations&redirect_uri=https://{subdomain}.ngrok.app/shopify/callback&state=580fda7a-2c88-494e-9abf-e94738dc4363&grant_options[]=
This works fine, if i am logged in to shopify, but if i don’t have an authenticated shopify session, i get redirected to the login. After logging in, i get redirected to the following url, with the error, that i have an missing redirect_uri.
https://admin.shopify.com/store/{shop}/oauth/authorize?client_id={clientId}&scope=write_third_party_fulfillment_orders%2Cwrite_assigned_fulfillment_orders%2Cwrite_merchant_managed_fulfillment_orders%2Cread_content%2Cread_online_store_pages%2Cwrite_customers%2Cwrite_delivery_customizations%2Cwrite_discounts%2Cwrite_draft_orders%2Cread_files%2Cwrite_fulfillments%2Cwrite_gift_cards%2Cread_inventory%2Cread_legal_policies%2Cread_locales%2Cread_locations%2Cread_markets%2Cread_marke&country=DE
As you can see, redirect_uri is actually missing.

If i try the same without a scope:
https://{shop}.myshopify.com/admin/oauth/authorize?client_id={clientId}&redirect_uri=https://{subdomain}.ngrok.app/shopify/callback&state=5868e609-12c2-4b62-beed-83867aa70679&grant_options[]=
And after the login i get redirected to:
https://admin.shopify.com/store/{shop}/oauth/authorize?client_id={clientId}&redirect_uri=https://{subdomain}.ngrok.app/shopify/callback&state=5868e609-12c2-4b62-beed-83867aa70679&grant_options[]=&country=DE
As you can see, the redirect_uri is present this time and the oauth process works accordingly.

Since i don’t use the legacy install flow ( App configuration ), removing the scope, should hopefully have no implications.

Can you tell me, if i am using something wrongly, or is this a bug?

Hey @Kevin_Giesubel Thanks for the detailed breakdown. Can you try the OAuth flow with just 10 scopes instead of all 25 and see if the issue still happens when logged out? This would help us confirm if there’s a URL length limit at play during the login redirect.

In the meantime, a potential workaround would be to start with a smaller initial scope request (just the essential scopes your app needs to get started), and then request additional scopes later as needed using the scope upgrade flow. Here’s our doc on how to modify scopes after installation:

https://shopify.dev/docs/apps/build/authentication-authorization/app-installation/manage-access-scopes#modify-declared-scopes

Happy to check on our side if there’s any documented URL size limits for OAuth flows, but splitting up the scope requests might be the cleanest solution here. Let me know what you find with the reduced scope test and I’d be happy to look into things on our side further for you.

Hi @Alan_G , thank you for your answer.

I tried the OAuth flow with 10 scopes and that worked, so it seems to be an URL length limit.

Hey @Kevin_Giesubel - thanks for trying that, yeah, I do believe we have a limit, for now the workaround I’d suggest is splitting up the scope requests (smaller first scope with another one after installation to grab the required ones), but I’ll do some digging into this on our end to see if I can confirm the limit/ see if it’s shareable and set up a feature request to look into improving this at the very least for you. Speak with you as soon as I have more info to share.

Hey again @Kevin_Giesubel , wanted to confirm that this is currently expected behaviour after looking into this internally. Happy to set up a feature request for you so that we can look into either increasing the limit or look into how to better optimize. Just to confirm, the main issue here would be that you’d now have to split the scope request into two parts (one on installation and another afterwards)?

Hope to hear from you soon.

Hi @Alan_G, for now, i removed the scopes. As far as i understood (Implement authorization code grant manually), i should instead add the scopes to app.toml instead. So you don’t need to change the request for me.

But it would be nice, if the packages (GitHub - Shopify/shopify-api-php) are updated, so they don’t send the scope, if it can lead to errors, like this.

Hey @Kevin_Giesubel - I definitely get where you’re coming from and thanks for sharing your workaround.

I’ll make a note of this and share it with our library maintainers. Let me know if I can help out with anything else!

Hey hi @Alan_G

We are facing the same issue and for our use case the workaround used is not feasible as we will need all the scopes and also cannot have them maintained in a separate file on Shopify.

Will it be possible for you to add this feature request?

For reference this is our issue