Shopify Apps have announced they will only support OAuth2 authentication type starting from May 7, 2017. All legacy authentication types will no longer be supported, which means that all third-party application must be updated to OAuth2 to continue working.
The thought behind the change
Token-based flow makes it both easier and more secure for Shopify users to use third-party apps. In a little bit more detail, the following magic happens:
- applications can use the Shopify API on behalf of store owners without their admin or private app credentials included in every API call;
- they avoid the unwanted responsibility of storing sensitive information.
Migrating legacy to OAuth
Shopify inform the transition process is simple and painless since app users should not notice any change. It is only a few seconds of downtime that might occur. For developers’ convenience, they provide examples in Ruby and PHP.
How Shopify OAuth works
The Shopify OAuth flow includes 5 steps, all but the third of which, as Gavin Ballard states in Shopify OAuth Flow for Dummies, are to be managed on the side of the app developer. In simple terms, it happens the following way:
- First, you get credentials that the client will use to identify itself. These are an API Key and Shared Secret.
- Then you build a permission URL that includes a couple of parameters such as api_key, scopes, redirect_uri, nonce, and option.
- The store owner installs the app in their Shopify admin panel.
- Shopify redirects the app user to the redirect_uri. On this step, the app must verify the request came from Shopify and then exchange the authorization code for a permanent access token specific to the app by sending a request to the store.
- The client can now send calls to the API, each request containing the access token.
For more details on Shopify OAuth, visit Shopify documentation.