Does FusionAuth have any ability to handle credentials management with external OAuth providers such as Shopify?
We are looking into implementing login via Shopify, and want to use that OAuth token for some administrative actions on behalf of the user on Shopify.
I haven't heard of this happening, but if Shopify supports OIDC or SAML v2 you can use an IdP config.
https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/ documents it for instance. It appears Shopify supports OAuth so the OIDC provider should work.
Important things to note:
- if you need to pass additional parameters to certain endpoints, turn off 'discover endpoints' and you can add them. See https://fusionauth.io/community/forum/topic/663/force-google-account-selection-on-every-login?_=1612454251976 for more
- the token returned by the external OAuth provider will be available on
user.registrations[x].tokenswith the key of the provider id. See https://fusionauth.io/docs/v1/tech/apis/identity-providers/openid-connect/ for more details
- the links above are for OIDC, but SAML integrations are also supported; review the analogous documentation.
I am thinking about it the whole week and could not grasp all the facts, especially at Shopify end. I asked the questions on their forum, contacted them directly. Nothing.
There are 2 main questions I am looking to get answers to:
- Can Shopify Plus acts as an Identity Service provider (physically store the users without using 3r party ISP) and allow other applications (including ours) to authenticate via SAML?
- Can Shopify (Plus or Non-Plus) authenticate users using Shopify accounts. Something like Shopify Social Connection. It appears so, according to Auth0 offering: https://auth0.com/docs/connections/social/shopify#set-up-app-in-shopify. This would require that our app is installed in Shopify as "Shopify Custom App"
But I could not find any article about Shopify authenticating (installed app users), not apps via Oauth.
Hmmm. That's a bummer that Shopify isn't being responsive. Here's what I have found:
Can Shopify Plus acts as an Identity Service provider (physically store the users without using 3r party ISP) and allow other applications (including ours) to authenticate via SAML?
Yes, documented here: https://help.shopify.com/en/manual/shopify-plus/security/saml
This looks like this only works with Shopify users who are in your organization. (Employee IAM, not CIAM.)
Can Shopify (Plus or Non-Plus) authenticate users using Shopify accounts.
I don't know. This https://shopify.dev/tutorials/authenticate-with-oauth sure looks like a OIDC flow, but I'm not sure how it works without setting it up. Have you tried to set up an OIDC identity provider? That's what I'd do.