Include state in auth url #17

peterchaula · 2016-08-15T11:34:40Z

It seems like if you follow Shopify OAuth Documentation and include the state parameter for verification the hmac verification fails on the client server size. My assumption is that Shopify includes state in calculation of the hash

https://{shop}.myshopify.com/admin/oauth/authorize?client_id={api_key}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}

{nonce} - a randomly selected value provided by your application, which is unique for each authorization request. During the OAuth >callback phase, your application must check that this value matches the one you provided during authorization. This mechanism is >important for the security of your application.

Shopify docs

It seems like if you follow Shopify OAuth Documentation and include the **state** parameter for verification the **hmac** verification fails on the client server size. My assumption is that Shopify includes **state** in calculation of the hash >https://{shop}.myshopify.com/admin/oauth/authorize?client_id={api_key}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce} >{nonce} - a randomly selected value provided by your application, which is unique for each authorization request. During the OAuth >callback phase, your application must check that this value matches the one you provided during authorization. This mechanism is >important for the security of your application. [Shopify docs](https://help.shopify.com/api/guides/authentication/oauth#scopes)

peterchaula added 2 commits August 15, 2016 13:33

Update shopify.php

5e2cfbd

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Include state in auth url #17

Include state in auth url #17

peterchaula commented Aug 15, 2016

Include state in auth url #17

Are you sure you want to change the base?

Include state in auth url #17

Conversation

peterchaula commented Aug 15, 2016