Add new auth strategy docs & set token exchange as default configuration from rails generator

[zzooeeyy]

What this PR does

• https://github.com/Shopify/develop-app-access/issues/291

• https://github.com/Shopify/develop-app-access/issues/216

• Added documentations for token exchange embedded auth strategy (mostly copied from the Remix app).

  • README section
  • Changelog
  • Session & Authentication guides
  • Upgrading guide

• Modified the rails configuration generator to enable this new auth strategy config by default if it's an embedded app.

Before and after with the configuration on/off

• The embedded app is using previous OAuth with callbacks in "authorization code grant" flow when config.new_embedded_auth_strategy = false.
• The embedded app is using the new zero redirect OAuth with "token exchange" flow when config.new_embedded_auth_strategy = true

New app install

Auth code flow (old)	New embedded app auth (new)
auth-code-flow-install.mp4	token-exchange-install.mp4
There are multiple redirects back and forth from app to Shopify to retrieve both the offline and online access tokens. Took about 15s from "install" to home page being displayed.	There are no redirects happening at all from the app after the install. Home page displayed in about 5s

Adding new access scope

Auth code flow (old)	New embedded app auth (new)
auth-code-flow-new-scope-720.mov	token-exchange-new-scope.mp4
When a new scope has been deployed, the old authorization code flow can't pick it up until the server has been restarted. Then the user has to go through many redirects to get the new access tokens with the new access scopes.	When a new scope has been deployed, the new scope grant will be automatically prompted. Once the user grants approval to the new scopes, the operation will continue.

Expired online access token

Auth code flow (old)	New embedded app auth (new)
auth-code-flow-expired-online-token.mp4	token-exchange-expired-online-token.mp4
When the online access token has expired. The app redirected multiple times to retrieve the new access tokens, and the XHR operation from the front end didn't get completed.	When the online access token has expired, the new auth strategy automatically fetches the new access token before handling the actual API request with no redirects.

Invalidated online access token

Auth code flow (old)	New embedded app auth (new)
auth-code-flow-invalid-access-token.mp4	token-exchange-invalid-access-token.mp4
When the online access token has been invalidated, the app could not handle XHR requests until the app has been reloaded and redirected multiple times for OAuth to retrieve new access tokens	When the online access token has been invalidated, the server handles the 401 HTTP unauthorized error and fetches new access token through token exchange before retrying the controller action again. The result is a seamless server side handling of this error with zero redirects.

Checklist

Before submitting the PR, please consider if any of the following are needed:

• Update CHANGELOG.md if the changes would impact users
• Update README.md, if appropriate.
• Update any relevant pages in /docs, if necessary
• For security fixes, the Disclosure Policy must be followed.

[rachel-carvalho]

I think we realized we need to also enable token expiration check to use the new strategy, right?

[paulomarg]

If that's the case, would it make sense to turn that on in the background, and fail if an invalid combination is explicitly provided?

[zzooeeyy]

Yea I thought about enabling it, but I thought it might be confusing for apps that aren't using online tokens....
And Paulo brings up a good point, I'm not sure why we have this check anyways, it should just not get a new token automatically if there are no online tokens or if online token doesn't have an expiry date column, and wouldn't need a config for it?

[zzooeeyy]

And I just double checked, if the app has a User table but they don't have "expire_at" column, with the check enabled, it'll actually raise an NotImplementedError.. 🤔

[zzooeeyy]

And I just found this change to the template -- Shopify/shopify-app-template-ruby#24

Looks offline tokens are preferred instead of using online token?

[paulomarg]

I had a few thoughts, but nothing blocking.

[paulomarg]

I wonder if we need to give some context as to what "new" means here - in the future this might not be so clear :)

[paulomarg]

Not sure how much value these links add here, since they were mentioned above and this is a fairly short section. Fine if you want to keep them, but just wanted to raise this :)

[paulomarg]

This makes it sound like managed install is optional, but that's not the case, right?

[paulomarg]

Is there any difference in behaviour as to when post auth tasks are run, when compared to auth code? If so, this might be a good place to call that out.

[zzooeeyy]

Nope it'll run the same post auth tasks!

[paulomarg]

Right, but I meant more in the sense of whether there are any scenarios where the auth code flow would trigger the tasks and this won't. I guess there aren't any?

[zzooeeyy]

I don't think so, both will happen right after the app gets a new token. Auth code flow calls it from CallbackController and this is called right after token exchange

[paulomarg]

I would try to avoid temporal references here as they will eventually become outdated.

[paulomarg]

I wonder if we need the warning here as well if we already have it above, WDYT?

[paulomarg]

This is a fairly old warning, I wonder if we still need to have the version reference here, or if we want to make it more "permanent".

[paulomarg]

If we're using methods provided by EnsureHasSession, do we still need to explicitly pass the session and id token as params? Maybe we could do that internally and keep the params as an override (or not?), that way calling this is a bit simpler.

[paulomarg]

I can see this being a bit confusing for people in the sense that the code might be run twice. Should we explicitly state that only the query should be executed inside the block, and no business logic? Should we have a way to do this in the client itself, something like

def index
  client = Client.new
  client.query({ **options, refetch_id_token: shopify_id_token })
end

I'm mostly just bikeshedding here, wondering if we can go a little bit further to simplify the app's code.