Hi folks we updated the scopes of our app recently and for all merchants that have optional scopes, post accepting the updated permissions it seems to be breaking the app, seems like what happens for when scopes mismatch!
Need urgent help here
So If optional scopes are updated after the regular scopes update it works, it is affecting merchants who accepted optional toml scopes before the update went out!
Hi @Sakshi_Gupta,
I can confirm that optional access scopes are approved by the merchant separately from the required access scopes, and the request for approval must be made by the app directly.
For example:
- When installing the app, the merchant automatically is requested to approve the required scopes as a part of the installation process. After the app is installed and required scopes are approved, the app needs to then request the merchant to approve the Optional Access scopes separately.
- When updating the scopes on the app:
- after you deploy the app config with the new scopes, the merchant needs to approve any required scopes before they can access the app at all. This is done automatically with the merchant being redirected to the approval screen the next time they try to open the app in the admin. After this is done and the merchant can access the app again, then the app should initiate the process for approving the optional scopes dynamically
Here’s a Shopify.dev documentation with more information on this process:
If what I described above is different from what you’re experiencing, we can help look into it further to confirm if it’s expected behaviour or not, but we will need more details on what you’re doing and what errors and behaviour you’re seeing exactly.
- What is the full step by step process of how you were updating the scopes, including any changes made to the toml files, Shopify CLI commands ran, API calls made, steps taken by the merchant, etc.
- The name of the app and store where the error occurred
- Screenshots of the error if surfaced in the admin
- Details from HTTP Requests or Shopify CLI commands that returned any errors. If HTTP Request, provide the full HTTP details:
- The full plain text HTTP Request, including URL, Body, and Headers (no access tokens)
- The full plain text HTTP Response, including Body and Headers
@Kellan-Shopify
Yes we are aware of the above, Our app wishlist plus has been using optional scopes for a while now and facing no issues until we updated our scopes very recently.
When we need a merchant to enable a particular feature that requires optional scopes, the merchant is sent the oauth url below
https://admin.shopify.com/store/xxxxxxxxx/oauth/install?client_id=xxxxxxxxx&optional_scopes=read_publications,read_product_listings
Post which the new scopes reflect on them.
Recently we added a new scope to our regular list of scopes in the toml, post which all our merchants were prompted to update scopes. The merchants without any optional scopes worked well, those who have exisiting optional scopes now are unable to access our admin because the session call from shopify is failing
When we removed the optional scopes on one of them they were restored back to steady state.
Thus we think there is some issue in the optional scopes where once an update is sent to regular scopes it breaks them or the scopes validation logic!
Hope this clarifies, Would appreciate any assitance, I can share details about more such merchants that are affected via email
App Name - Wishlist Plus
TOML -
[access_scopes]
scopes = “read_content,read_customer_events,read_customers,read_discounts,read_inventory,read_locales,read_locations,read_markets,read_orders,read_privacy_settings,read_products,read_script_tags,read_shipping,read_themes,read_users,unauthenticated_read_product_inventory,unauthenticated_read_product_listings,unauthenticated_read_product_pickup_locations,write_content,write_customers,write_draft_orders,write_pixels,write_products,write_script_tags,write_themes”
optional_scopes = [
“read_publications”,
“read_product_listings”,
“write_discounts”,
“write_metaobject_definitions”,
“write_metaobjects”,
“write_orders”,
“unauthenticated_read_metaobjects”
]
What we also tried - Setup a Fresh Merchant - installed our app without optional scopes then updated with optional scopes, then also the merchant works perfectly - this is only happening to merchants where optional scopes have been approved in the past and now they have accepted and updated the regular scopes as well post our update!
Hi @Sakshi_Gupta,
Typically this cookie error you’re seeing occurs when there’s a mismatch with the access scopes requested from the app’s toml files and the access scopes specified in the host server’s environment variables.
Can you double check the production environment variables and see if they match what’s in the toml file to confirm if this is the cause here as well?
If the error is still occurring, please do replicate it again, and review the events in the Browser’s Developer Tools Network Events to see if there’s any specific events that are failing, and if they have an x-request-id in the failed request headers. Then please do reach out to our Shopify support team via the Shopify Help Center, and we can help look into this behaviour further.