Shopify POS Embedded App auth flow missing id_token

[uurcank]

When I open my app from POS interface, it only provides a session token, not an id_token. As a result Shopify_app gem redirects to patch_shopify_id_token path but no id_token provided in the return URL

See shopify-reload param in the logs below

Started GET "/shopify?embedded=1&hmac=15128f374660af54c8987b1588655c73e3cca0c83a8548e4b897885c205b6669d4d0aa8&host=cnVnc3Bhc3RvcmUubXlzaG9waWZ5LmNvbS9hZG1pbg&locale=en&session=de50cf5e89110d2337770d69103ab290cc129b7e1cdcd8bbc01da326acc3a506&shop=test.myshopify.com&timestamp=1736117938" for 2607:fb91:1de9:895f:8c22:a7a1:7672:40b7 at 2025-01-05 22:59:00 +0000 rails-app-1 | [b5e5184d-441c-4e63-94af-7a28be7c499c] Processing by ShopifyController#show as HTML rails-app-1 | [b5e5184d-441c-4e63-94af-7a28be7c499c] Parameters: {"embedded"=>"1", "hmac"=>"15128f374660af54c8987b1588655c73e3cca0c83a8548e4b897885c205b6669d4d0aa8", "host"=>"cnVnc3Bhc3RvcmUubXlzaG9waWZ5LmNvbS9hZG1pbg", "locale"=>"en", "session"=>"de50cf5e89110d2337770d69103ab290cc129b7e1cdcd8bbc01da326acc3a506", "shop"=>"test.myshopify.com", "timestamp"=>"1736117938"} rails-app-1 | [b5e5184d-441c-4e63-94af-7a28be7c499c] Redirected to https://stocktake.pasilobus.com/shopify/patch_shopify_id_token?embedded=1&hmac=15128f374660afec8987b153c73e3cca0c83a8548e4b8975c205b6669d4d0aa8&host=cnVnc3Bhc3RvcmUubXlzaG9waWZ5LmNvbS9hZG1pbg&locale=en&session=de50cf5e89110d2337770d69103ab290cc129b7e1cdcd8bbc01da326acc3a506&shop=test.myshopify.com&shopify-reload=%2Fshopify%3Fembedded%3D1%26hmac%3D15128f3a60u474660afec8987b153c73e3cwdarrca0c83a85we48e4b8975c205b6669d4d0aa8%26host%3DcnVnc3Bhc3RvcmUubXlzaG9waWZ5LmNvbS9hZG1pbg%26locale%3Den%26session%3Dde50cf5e89110d2337770d69103ab290cc129b7e1cdcd8bbc01da326acc3a506%26shop%test.myshopify.com%26timestamp%3D1736117938&timestamp=1736117938 rails-app-1 | [b5e5184d-441c-4e63-94af-7a28be7c499c] Completed 302 Found in 14ms (ActiveRecord: 0.0ms (0 queries, 0 cached) | GC: 0.5ms) rails-app-1 | [2bab5b75-f3ad-48a5-8aae-d0cef8e2a8ae] Started GET "/shopify/patch_shopify_id_token?embedded=1&hmac=15128f374660af54c8987b1588655c73e3cca0c83a8548e4b897885c205b6669d4d0aa8&host=cnVnc3Bhc3RvcmUubXlzaG9waWZ5LmNvbS9hZG1pbg&locale=en&session=de50cf5e89110d2337770d69103ab290cc129b7e1cdcd8bbc01da326acc3a506&shop=test.myshopify.com&shopify-reload=%2Fshopify%3Fembedded%3D1%26hmac%3D15128f374a21w3660afec8987b153c7323e3cca0c83a2815484e4b8975c205b6669d4d0aa8%26host%3DcnVnc3Bhc3RvcmUubXlzaG9waWZ5LmNvbS9hZG1pbg%26locale%3Den%26session%3Dde50cf5e89110d2337770d69103ab290cc129b7e1cdcd8bbc01da326acc3a506%26shop%test.myshopify.com%26timestamp%3D1736117938&timestamp=1736117938" for 2607:fb91:1de9:895f:8c22:a7a1:7672:40b7 at 2025-01-05 22:59:01 +0000

upon visiting shopify-reload path, the gem returns this error

Is that the expected behavior here? It looks like to me that Shopify POS fails to provide id_token and the gem has no capability of regenerating one.

Perhaps we can call for an id token on this page and do a Javascript redirect?. It is currently empty

[uurcank]

rails-app-1 | [8ba2e86b-c632-40da-96a5-5ae52ef62195] [ ShopifyApp | INFO | Shop Not Found ] Performing Token Exchange for [test.myshopify.com] - (Offline) rails-app-1 | [8ba2e86b-c632-40da-96a5-5ae52ef62195] [ ShopifyApp | ERROR | Shop Not Found ] A 400 error (ShopifyAPI::Errors::HttpResponseError) occurred during the token exchange. Response: {"error"=>"invalid_identity_session", "error_description"=>"Token exchange cannot be performed due to an invalid subject token."}

[lizkenyon]

Hi there 👋

Could you provide a bit more context on how you are loading your app in the POS interface?
Are you referring to Embed your app in POS or POS UI extensions

[uurcank]

@lizkenyon I am referring to an embedded app.

When embed enabled for POS, you can add a tile for the app to the POS home screen.

When clicked on that tile, it opens the app app with a session token only. No id_token is present as a result shopify_app gem redirects to patch_shopify_id path and that creates a loop. ID token is never attached.

It works fine when the app is opened from Shopify admin.

[lizkenyon]

Hi there

I believe at this time token exchange cannot be initiated from the POS app. Token exchange must be initiated from the Shopify admin. That means for your app to load you will need to have an access token and record already in your Shops table in your database. That is what is being meant by Token exchange cannot be performed due to an invalid subject token

When I have a record of the shop in my database I am able to successfully load the app in the Shopify admin.

ScreenRecording_01-16-2025.16-11-05_1.mov

As this doesn't seem to be a bug with this gem, I might recommend asking further questions in the developer community forums, to best get connected with the folks that own this area.