Added documentations for token exchange embedded auth strategy (mostly copied from the Remix app).
README section
Changelog
Session & Authentication guides
Upgrading guide
Modified the rails configuration generator to enable this new auth strategy config by default if it's an embedded app.
Before and after with the configuration on/off
The embedded app is using previous OAuth with callbacks in "authorization code grant" flow when config.new_embedded_auth_strategy = false.
The embedded app is using the new zero redirect OAuth with "token exchange" flow when config.new_embedded_auth_strategy = true
New app install
Auth code flow (old)
New embedded app auth (new)
There are multiple redirects back and forth from app to Shopify to retrieve both the offline and online access tokens. Took about 15s from "install" to home page being displayed.
There are no redirects happening at all from the app after the install. Home page displayed in about 5s
Adding new access scope
Auth code flow (old)
New embedded app auth (new)
When a new scope has been deployed, the old authorization code flow can't pick it up until the server has been restarted. Then the user has to go through many redirects to get the new access tokens with the new access scopes.
When a new scope has been deployed, the new scope grant will be automatically prompted. Once the user grants approval to the new scopes, the operation will continue.
Expired online access token
Auth code flow (old)
New embedded app auth (new)
When the online access token has expired. The app redirected multiple times to retrieve the new access tokens, and the XHR operation from the front end didn't get completed.
When the online access token has expired, the new auth strategy automatically fetches the new access token before handling the actual API request with no redirects.
Invalidated online access token
Auth code flow (old)
New embedded app auth (new)
When the online access token has been invalidated, the app could not handle XHR requests until the app has been reloaded and redirected multiple times for OAuth to retrieve new access tokens
When the online access token has been invalidated, the server handles the 401 HTTP unauthorized error and fetches new access token through token exchange before retrying the controller action again. The result is a seamless server side handling of this error with zero redirects.
Checklist
Before submitting the PR, please consider if any of the following are needed:
[x] Update CHANGELOG.md if the changes would impact users
[x] Update README.md, if appropriate.
[x] Update any relevant pages in /docs, if necessary
What this PR does
https://github.com/Shopify/develop-app-access/issues/291
https://github.com/Shopify/develop-app-access/issues/216
Added documentations for token exchange embedded auth strategy (mostly copied from the Remix app).
Modified the rails configuration generator to enable this new auth strategy config by default if it's an embedded app.
Before and after with the configuration on/off
config.new_embedded_auth_strategy = false.config.new_embedded_auth_strategy = trueNew app install
Adding new access scope
Expired online access token
Invalidated online access token
Checklist
Before submitting the PR, please consider if any of the following are needed:
CHANGELOG.mdif the changes would impact usersREADME.md, if appropriate./docs, if necessary