Hello Everyone,
We’ve been using OAuth with Shopify for over three years to allow our clients to securely grant our app access to their order data.
Everything has worked smoothly until recently — in the past 2–3 weeks, we’ve encountered a problem that has broken our OAuth integration.
Summary of the Issue:
Without making any code changes on our side, our OAuth authorization flow stopped working. After the user grants permissions and Shopify redirects back to our redirect_uri , we no longer have access to the window.opener object in the popup window that initiated the OAuth process.
This means our app can’t confirm whether the OAuth flow completed successfully, nor can we retrieve the authorization code from the redirect URL parameters.
What we think:
We suspect that Shopify has recently introduced or modified response headers related to Cross-Origin policies , specifically the
Cross-Origin-Opener-Policy (COOP) and/or Cross-Origin-Embedder-Policy (COEP) headers.
If Shopify now includes a header like:
Cross-Origin-Opener-Policy: same-origin
…when redirecting back to our domain, the browser will isolate the browsing context, causing window.opener to be set to null for security reasons. This behavior effectively blocks our popup from communicating with the parent window.
How to reproduce the error
- We open a popup window using this URL:
https://${shopUrl}/admin/oauth/authorize?client_id=${client_id}&scope=read_products read_inventory read_shipping read_orders read_customers read_all_orders&redirect_uri=${redirect_uri}&grant_options[]={access_mode}
- The user logs in and grants the requested permissions.
- Shopify redirects the user to our
redirect_urialong with thecodeparameter. - Previously, our script inside the popup could access
window.openerto notify the parent window that the OAuth flow succeeded and pass the code back for exchange. - Now,
window.openerisnull, so our app can’t complete this final step.
So our question is:
- Has there been a recent change (in the past month) to how Shopify handles Cross-Origin headers (
Cross-Origin-Opener-Policyor similar) during the OAuth redirect? - If so, is there a recommended new approach for securely passing the authorization code back to the parent window without violating CORS or COOP restrictions?
- Should we now rely on an alternative approach?
This issue currently prevents our clients from successfully connecting their Shopify stores to our system, blocking all new authorizations and reconnections.
Any guidance or confirmation regarding recent changes and how to adapt our integration would be greatly appreciated.