I am starting to develop a Shopify integration. The app that I am trying to integrate has a different subdomain per user account, and so will need to redirect to a different callback domain for each oauth connection request. So far I am redirecting to the Shopify authorise URL to allow the user to grant access to their account. However, I get an error response of:
{"error":"invalid_request",
"error_description":"The redirect_uri and application url must have matching hosts"}
The URL is of the form:
https://SHOP_NAME.myshopify.com/admin/oauth/authorize?client_id=MY_CLIENT_ID&scope=read_order&redirect_uri=SUBDOMAIN.MYAPP.com
I have tried setting the application URL (set in the admin page in Shopify) to all of these and receive the same error:
http://MYAPP.com
http://.MYAPP.com
http://*.MYAPP.com
However, I can get it to work with:
http://SUBDOMAIN.MYAPP.com
I can create an endpoint that just takes information from the query string, and redirects to the subdomain, for example:
callback.MYAPP.com?subdomain=SUBDOMAIN
Which would work around this, but I would rather that the Shopify API supported subdomains since I would like to also create links in the Shopify pages into my app, and would rather not have to keep building these levels of indirection. (Although, looking at the admin page for the application links, it looks like I will have to do the same there too.)
I am using a non-standard TLD (since this is currently in development). So where I've put MYAPP.com it's really oh.dev, however I have tried using a .com by editing my hosts file, with the same results.
Does anyone know how to get Shopify to accept a subdomain as a callback_url? Have I missed something obvious?
Here's some Clojure code:
(require '[com.twinql.clojure.http :as http] '[clojure.contrib.logging :as log])
(defn consumer []
{:key "1234567890"
:secret "1234567890abcde"})
(defn shopify-config [shop-name]
{:request-token-url (str "https://" shop-name ".myshopify.com/admin/oauth/authorize")
:authorise-url (str "https://" shop-name ".myshopify.com/admin/oauth/authorize")
:access-token-url (str "https://" shop-name ".myshopify.com/admin/oauth/access_token")
:api-endpoint-url (str "https://" shop-name ".myshopify.com")})
(defn get-redirect-url [shop-name callback-url]
(let [{consumer-token :key consumer-token-secret :secret} (consumer)]
(str (-> shop-name shopify-config :request-token-url)
"?client_id=" consumer-token
"&scope=read_orders,read_products,read_customers"
"&redirect_uri=" callback-url)))
(defn get-access-credentials [verifier shop-name]
(let [{:keys [key secret]} (consumer)
response (http/post (-> shop-name shopify-config :access-token-url)
:as :json
:query {"client_id" key
"client_secret" secret
"code" verifier})]
(log/debug (str "response from getting access credentials from shopify : " response))
{:access-token (-> response :content :access_token)
:consumer-key key
:consumer-secret secret}))
(def methods {:get http/get
:post http/post
:delete http/delete
:put http/put})
(defn- make-request [method shop-name url token params]
(let [response (method (str (-> shop-name shopify-config :api-endpoint-url) url)
:as :json
:query params
:headers {"X-Shopify-Access-Token" token})]
(if (-> response :code (= 200))
(:content response)
(do
(log/error (str "Error in shopify request : " response))
(throw (Err. {:handle :shopify-request-error
:response response}))))))
(defn get-products [shop-name token page]
(make-request (:get methods) shop-name "/admin/products.json" token {:page page :limit 200}))
Also, there is some code that gets things like the shop-name from the user, and stores it in the DB and so on. So we basically call get-redirect-url to redirect the user to shopify, and get them to approve the permissions. The callback-url that we pass to Shopify is something like:
http://customer1.oh.dev/integrations/shopify/1/callback
Which then takes the code provided and calls get-access-credentials. The surrounding code stores the access-token, etc that we return. Then there is an other user action that will call get-products, after retrieving the token & shop-name.
