You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are a couple of cases myself and others have ran into where the access token or scopes are not updated when using token exchange:
When the user uninstalls and reinstalls the app (and you do not hard delete the shop for data retention reasons)
When managed app install scopes are updated
In my testing when these cases occur we get an id_token back in the url params and this is a good indication that something has changed. Based on #1886 it seems like others have found this works for them as well. Triggering retrieve_session_from_token_exchange in this case causes all session storage and (I believe but didn't test) after authenticate triggers to run.
I haven't looked too much into the authentication header but it's possible that checking shopify_id_token is present would be a better approach to take into account that header having the id_token. I'm not sure what situations that header is present in through and my assumption is that most of those cases we don't necessarily need to update the scopes/access_token and the cases where we do want to update them it will be included in the url params.
Things to focus on
Make sure my assumptions about when this should trigger are correct.
Check if it would make sense to trigger this when the authentication header is present as well.
Checklist
Before submitting the PR, please consider if any of the following are needed:
Update CHANGELOG.md if the changes would impact users
I don't think it's a good permanent solution. id_token is always included in params when the app is opened in Shopify Admin, regardless of installation/scope changes. With these changes, we'll end up making token exchange every time when the app is opened. It will slow down app loading by 200-300ms, which will impact perf metrics and our abilities to maintain Build for Shopify status.
As mentioned in #1886, I still believe we need some proper indication from App Bridge, that the app needs to update token after installation/scopes changes. The easiest solution would be new parameter (eg reload_token=1). This way, we could make token exchange only when it's really needed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Fixes #1886
Reviewer's guide to testing
There are a couple of cases myself and others have ran into where the access token or scopes are not updated when using token exchange:
In my testing when these cases occur we get an
id_tokenback in the url params and this is a good indication that something has changed. Based on #1886 it seems like others have found this works for them as well. Triggeringretrieve_session_from_token_exchangein this case causes all session storage and (I believe but didn't test) after authenticate triggers to run.I haven't looked too much into the authentication header but it's possible that checking
shopify_id_tokenis present would be a better approach to take into account that header having the id_token. I'm not sure what situations that header is present in through and my assumption is that most of those cases we don't necessarily need to update the scopes/access_token and the cases where we do want to update them it will be included in the url params.Things to focus on
Checklist
Before submitting the PR, please consider if any of the following are needed:
CHANGELOG.mdif the changes would impact usersREADME.md, if appropriate./docs, if necessary