Oauth error failed_grant_with_invalid_scopes

[ilrein]

Issue summary

Before opening this issue, I have:

• [x ] Upgraded to the latest version of the package
  • shopify_app version:
  • Ruby version:
  • Operating system:
• Set log_level: :debug in my configuration, if applicable
• Found a reliable way to reproduce the problem that indicates it's a problem with the package
• Looked for similar issues in this repository
• Checked that this isn't an issue with a Shopify API
  • If it is, please create a post in the Shopify community forums or report it to Shopify Partner Support

I have created a fresh install. I am able to render the page successfully. When I try to install the shop, I get this:

Expected behavior

I left the defaults of:

ShopifyApp.configure do |config|
  config.application_name = "My Shopify App"
  config.old_secret = ""
  config.scope = "read_products" # Consult this page for more scope options:
                                  # https://help.shopify.com/en/api/getting-started/authentication/oauth/scopes

Actual behavior

But it seems to have an issue with the scope.

Steps to reproduce the problem

I ran all the steps to start a new project found in the README.

Debug logs

I do see this on the failed request:

Started POST "/login" for 198.98.126.168 at 2024-05-02 16:40:13 -0400
Cannot render console from 198.98.126.168! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by ShopifyApp::SessionsController#create as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]", "shop"=>"easy-tiles-easy-life.myshopify.com"}
Redirected to https://admin.shopify.com/store/easy-tiles-easy-life/oauth/install?client_id=82b530a33880214df01aeb372ca5a890
Completed 302 Found in 2ms (ActiveRecord: 0.0ms | Allocations: 610)

[zzooeeyy]

Hi @ilrein,

It's difficult for me to see what is happening without more information - Could you try the following:

• Capture a HAR file for the OAuth process to analyze network activity during that time.
• Capture debug logs in the app by configuring:

# config/initializers/shopify_app.rb
ShopifyAPI::Context.setup(
#.......
log_level: :debug,
)

Also, I'm not sure if the generators are that up to date anymore. If you're creating a new app, you could try creating one straight from our template. that should work right out of the box, and using Shopify CLI will make development/deployment of your app much easier.

[github-actions]

We are closing this issue because we did not hear back regarding additional details we needed to resolve this issue. If the issue persists and you are able to provide the missing clarification we need, feel free to respond and reopen this issue.

We appreciate your understanding as we try to manage our number of open issues.

[hidavidday]

same issue is happening for me. Fresh install and all URLs are configured properly.

[mur-wtag]

@zzooeeyy I am also encountered with same issue and I triggered dubug mode and here is the log:

19:37:07 │ web-backend      │ Started POST "/login" for 103.197.153.39 at 2024-06-12 19:37:07 +0600
19:37:07 │ web-backend      │ Cannot render console from 103.197.153.39! Allowed networks: 127.0.0.0/127.255.255.255, ::1
19:37:07 │ web-backend      │ Processing by ShopifyApp::SessionsController#create as HTML
19:37:07 │ web-backend      │   Parameters: {"authenticity_token"=>"[FILTERED]", "shop"=>"sofenx-dev.myshopify.com"}
19:37:07 │ web-backend      │ [ ShopifyApp | DEBUG | Shop Not Found ] Starting OAuth - Redirecting to Shopify managed install
19:37:07 │ web-backend      │ Redirected to https://admin.shopify.com/store/sofenx-dev/oauth/install?client_id=cfb75542ffbcafdac9ac271d68c583c5
19:37:07 │ web-backend      │ Completed 302 Found in 2ms (ActiveRecord: 0.0ms | Allocations: 717)

any idea?

[andrewchen5678]

+1 same issue today with fresh install and partner store, please reopen

[mur-wtag]

sorry I've forgot to mention here that I've resolved the issue. I did some debug and found in my .toml file there is

use_legacy_install_flow = true

I have found if we are using new_embedded_auth_strategy, we have to remove ☝️ this like from the .toml file.

After removing this line from .toml file it's working perfectly!

[andrewchen5678]

how did you initialize your app, on partner site maunally, through command line, or through shopify plus? I followed the README's instruction and it seems to suggest to initialize an app manually on partner site first.

[krishnadiamesso]

I am having the same issue

Started POST "/login" for ::1 at 2024-06-27 20:49:35 -0400
Processing by ShopifyApp::SessionsController#create as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]", "shop"=>"store-test-3-2024.myshopify.com"}
[ ShopifyApp | DEBUG | Shop Not Found ] Starting OAuth - Redirecting to Shopify managed install
Redirected to https://admin.shopify.com/store/store-test-3-2024/oauth/install?client_id=c0bd1ba2890abfce4cb77e13e8a1a0dc
Completed 302 Found in 3ms (ActiveRecord: 0.0ms | Allocations: 760)

@zzooeeyy could this be reopened?

[krishnadiamesso]

how did you initialize your app, on partner site maunally, through command line, or through shopify plus? I followed the README's instruction and it seems to suggest to initialize an app manually on partner site first.

@andrewchen5678 were you able to fix your issue. I can see a .toml file when starting the rails app from scratch
@mur-wtag probably used the cli

[andrewchen5678]

I suspect it has to do with the approach to initialize the app manually on partner portal instead of through cli, but I can't confirm further because I changed strategy.

I tried many different approaches for getting access token for a private app and ended up initializing an app through cli with a .toml file, installed the app on my shop manually through the partner portal, and created custom oauth endpoint to get access token, for my use case I only needed one offline access token for backend API calls for the shop. It is too much much tight coupling on the Shopify::Context on multi-store workflow, coupled with too many ways to create custom apps, which makes it difficult to use the standard oauth flow to work with private apps only meant for one store.

[krishnadiamesso]

@andrewchen5678 Yeahhh creating the app from the CLI works for me as well. but there are a lot of things there I don't need or don't want to use. so wanted to go with a rails app from scratch.
will dig a bit more. worst comes to worst I will go the cli route.

[mzrnsh]

I followed the steps in the gem's README and got this error as well.

I used the manual option on partners site.

No shopify.app.toml file was created after I ran the generator. If this file is required, I hope the README gets a section explaining this.

[mur-wtag]

@mzrns I am using two separate repos. One for app block (front-end for online store) and other for rails app (back end). And in app block part there is the shopify.app.toml with configuration. If anything need to be changed in app block part I just run yarn shopify app deploy for publish the changes.

[codev009]

Facing the same problem with the shopify app gem.

[zzooeeyy]

Hey all! The reason why the CLI works and the generator doesn't work is because the shopify_app gem enabled a new installation + authorization method.

Previously, your app (behind the scenes and handled in the gem) would need to redirect the user to shopify admin/oauth/authorize to initiate the installation process, and shopify redirects the user back to your app's callback path once the merchant grants permission to install your app. The gem then goes and retrieves an access token which your app can use to make API calls to that shop's resources. This process happens every-time an access token expires, invalidated, or you need to acquire extra scopes.

With the new Shopify managed installation and token exchange authorization flow, you declare the access scopes that your app requires in the toml file and deploy that to Shopify. So when a merchant tries to install your app, Shopify knows what access scopes to request for, and Shopify will handle the installation instead of redirecting to your app to make another redirect to install. And once your app is installed, and Shopify admin loads your app. shopify_app gem's token exchange logic will exchange that user's active id token for an access token.This is the best way to handle installation and token acquisition since it involves way less redirects. You can see the videos here comparing the performance improvement.

Long story short,

The generator doesn't configure shopify managed install for your app, but creating the app through the CLI does, that's why it has different behaviours.

There are a few options:

1. Configure your .toml to enable Shopify managed install through the CLI

OR

2. Disable the new auth flow by changing (not recommended)

# config/initializers/shopify_app.rb
ShopifyApp.configure do |config|
  #.....
  config.new_embedded_auth_strategy = false
  ...
end

[mzrnsh]

Hey @zzooeeyy, thank you for looking into this for us 🙏

I, and I believe I speak for everyone here, have no doubts about this new method being more efficient. We don't need to be convinced in that 🙃

The problem worth tackling however, is that with the shopify.app.toml approach, we are entering a totally new realm which is not documented in as far as shopify_app gem is concerned.

And once a typical Rails developer like myself decides to embark on that quest, they suddenly have to deal with things like not having a package.json file (and why would someone have it in a Rails app! Only half joking here!!):

And okay, it's an easy problem to solve, but here comes the next one:

I don't know what comes next as I haven't yet found a way around the last one.

But does feel like this all should be a little more straightforward, given this is the "official" way to build a Shopify app.

[farooki]

I have followed all the instructions given in shopify_app gem Readme and facing the similar issue
"Oauth error failed_grant_with_invalid_scopes: The application could not be installed due to invalid scopes requested.
"

I created the application directly from shopify partner account rather than cli. anyone knows how can I fix it?

[danielfriis]

I appreciate the work you are all doing on this but I agree with @mzrnsh. For the Rails community, it seems like a bit of a mess. I'm hitting roadblock after roadblock and it feels way more complicated than it has to be.

You should hit the reset button and make a proper and simple solution for vanilla Rails projects.

I'm writing this with love. It's simply because I want to develop for Shopify, but it's just not that straightforward.

The "new auth strategy" shouldn't even be an option as it's not possible anymore with the 'old'. Also, why the need for a toml file? Seems like I have to repeat myself yet what do I gain?

[danielfriis]

@zzooeeyy I see that this is "Closed as not planned". Could you at least update the documentation to reflect the new reality? (again, writing this with nothing but love, but I simply don't understand how to get up and running).