Oauth forgets redirect_uri, if user is logged out

Hi, i have a problem with the oauth flow. If i start the oauth flow for installing an app, while i am logged out of shopify and send a scope, i get the error: Oauth error invalid_request: The redirect_uri is missing

In more detail:
I implemented the oauth flow using a PHP package ( GitHub - Shopify/shopify-api-php ). If i try to start the oauth flow with this package, i get an url, like the following:
https://{shop}.myshopify.com/admin/oauth/authorize?client_id={clientId}&scope=write_third_party_fulfillment_orders,write_assigned_fulfillment_orders,write_merchant_managed_fulfillment_orders,read_content,read_online_store_pages,write_customers,write_delivery_customizations,write_discounts,write_draft_orders,read_files,write_fulfillments,write_gift_cards,read_inventory,read_legal_policies,read_locales,read_locations,read_markets,read_marketing_events,read_metaobject_definitions,read_metaobjects,read_order_edits,write_orders,read_payment_terms,read_price_rules,read_privacy_settings,read_products,read_purchase_options,write_returns,read_shipping,read_themes,read_translations&redirect_uri=https://{subdomain}.ngrok.app/shopify/callback&state=580fda7a-2c88-494e-9abf-e94738dc4363&grant_options[]=
This works fine, if i am logged in to shopify, but if i don’t have an authenticated shopify session, i get redirected to the login. After logging in, i get redirected to the following url, with the error, that i have an missing redirect_uri.
https://admin.shopify.com/store/{shop}/oauth/authorize?client_id={clientId}&scope=write_third_party_fulfillment_orders%2Cwrite_assigned_fulfillment_orders%2Cwrite_merchant_managed_fulfillment_orders%2Cread_content%2Cread_online_store_pages%2Cwrite_customers%2Cwrite_delivery_customizations%2Cwrite_discounts%2Cwrite_draft_orders%2Cread_files%2Cwrite_fulfillments%2Cwrite_gift_cards%2Cread_inventory%2Cread_legal_policies%2Cread_locales%2Cread_locations%2Cread_markets%2Cread_marke&country=DE
As you can see, redirect_uri is actually missing.

If i try the same without a scope:
https://{shop}.myshopify.com/admin/oauth/authorize?client_id={clientId}&redirect_uri=https://{subdomain}.ngrok.app/shopify/callback&state=5868e609-12c2-4b62-beed-83867aa70679&grant_options[]=
And after the login i get redirected to:
https://admin.shopify.com/store/{shop}/oauth/authorize?client_id={clientId}&redirect_uri=https://{subdomain}.ngrok.app/shopify/callback&state=5868e609-12c2-4b62-beed-83867aa70679&grant_options[]=&country=DE
As you can see, the redirect_uri is present this time and the oauth process works accordingly.

Since i don’t use the legacy install flow ( App configuration ), removing the scope, should hopefully have no implications.

Can you tell me, if i am using something wrongly, or is this a bug?

Hey @Kevin_Giesubel Thanks for the detailed breakdown. Can you try the OAuth flow with just 10 scopes instead of all 25 and see if the issue still happens when logged out? This would help us confirm if there’s a URL length limit at play during the login redirect.

In the meantime, a potential workaround would be to start with a smaller initial scope request (just the essential scopes your app needs to get started), and then request additional scopes later as needed using the scope upgrade flow. Here’s our doc on how to modify scopes after installation:

https://shopify.dev/docs/apps/build/authentication-authorization/app-installation/manage-access-scopes#modify-declared-scopes

Happy to check on our side if there’s any documented URL size limits for OAuth flows, but splitting up the scope requests might be the cleanest solution here. Let me know what you find with the reduced scope test and I’d be happy to look into things on our side further for you.

Hi @Alan_G , thank you for your answer.

I tried the OAuth flow with 10 scopes and that worked, so it seems to be an URL length limit.

Hey @Kevin_Giesubel - thanks for trying that, yeah, I do believe we have a limit, for now the workaround I’d suggest is splitting up the scope requests (smaller first scope with another one after installation to grab the required ones), but I’ll do some digging into this on our end to see if I can confirm the limit/ see if it’s shareable and set up a feature request to look into improving this at the very least for you. Speak with you as soon as I have more info to share.

Hey again @Kevin_Giesubel , wanted to confirm that this is currently expected behaviour after looking into this internally. Happy to set up a feature request for you so that we can look into either increasing the limit or look into how to better optimize. Just to confirm, the main issue here would be that you’d now have to split the scope request into two parts (one on installation and another afterwards)?

Hope to hear from you soon.

Hi @Alan_G, for now, i removed the scopes. As far as i understood (Implement authorization code grant manually), i should instead add the scopes to app.toml instead. So you don’t need to change the request for me.

But it would be nice, if the packages (GitHub - Shopify/shopify-api-php) are updated, so they don’t send the scope, if it can lead to errors, like this.

Hey @Kevin_Giesubel - I definitely get where you’re coming from and thanks for sharing your workaround.

I’ll make a note of this and share it with our library maintainers. Let me know if I can help out with anything else!

Hey hi @Alan_G

We are facing the same issue and for our use case the workaround used is not feasible as we will need all the scopes and also cannot have them maintained in a separate file on Shopify.

Will it be possible for you to add this feature request?

For reference this is our issue

Hey @uday_menon

Thanks for reaching out. I definitely understand where you’re coming from on this. That workaround of using app.toml doesn’t work for everyone, especially if you need all scopes and can’t maintain them in a separate configuration file.

I’ve added your input to our existing feature request for this issue. I can’t guarantee anything in terms of if/when this will be implemented, but did just want to confirm I’ve passed along your feedback.

Thanks for that @Alan_G
Is there any way for me to track this issue/ request?

Hey @Uday_Menon , we don’t currently have a method for tracking feature requests that have been logged internally, but you’re more than welcome to follow up in this thread intermittently if you’d like.

Hope this helps, let me know if I can assist with anything further

Hi @Alan_G - Would you be able to confirm the length limit? and if this is till an issue with redirect_uri?

Hey @Samuel_Farquhar

I don’t have an exact character limit to share (this can change) but there are a few workarounds since I can confirm this is still expected behaviour:

1. Define your scopes in your shopify.app.toml file rather than passing them in the OAuth URL:

   [access_scopes]scopes = "read_products,write_orders,..."
   

   This way, Shopify manages the scopes configuration and they don’t need to be passed in the URL at all.

2. For apps that must use legacy OAuth: Start with a smaller initial scope request (essential scopes only), then use the scope upgrade flow to request additional scopes after installation.

The best way of installing an app is currently by defining the scopes in your Dev Dashboard or in your app’s config files (the .toml) files per the first recommendation there and then running the Client-Credentials Grant though: Using the client credentials grant

Let me know if you have any other questions!