Single-Click App OAuth Flow
Single-Click App OAuth Flow
Single-Click App OAuth Flow
After you install your draft app and create an app profile, you’re ready to write the code grant authorization flow that generates a unique access_token for each store that installs your app. This article covers the sequence and contents of API requests and responses in the code grant authorization flow for a BigCommerce app.
It may be more appropriate for your application to use an API client to handle this logic; see the list of BigCommerce API clients that expose OAuth-related helper methods.
Typically, only store owners and authorized users can create API accounts and access_tokens for a store. However, when an app is approved to be publicly available for additional stores to install, it can generate access_tokens on behalf of store owners and authorized users.
Your app must expose a callback endpoint, GET /auth, that the merchant’s store control panel can hit to initiate the code grant authorization flow. For a list of all the callback endpoints your app can expose, both required and optional, see Single-Click App Callback Handlers.
BigCommerce uses a modified version of the OAuth2 authorization code grant (tools.ietf.org). The sequence is as follows:
GET /auth endpoint that contains some of the information necessary to request a unique access_token for the store.access_token for the store.access_token unique to the merchant’s store; see receiving the access_token response.access_token and handles any internal logic.After your app has an access_token for the store, the following events can mark the access_token for invalidation the next time the merchant opens the app:
The next time the merchant opens the app in the store control panel, the browser will prompt them to accept the changes. Once they accept, their previous access_token will be invalid, and your app will receive a fresh auth callback for their store.
In production, all app callback URLs must be publicly available, fully qualified, and served over TLS/SSL.
The request to your app’s GET /auth endpoint contains query parameters required to request an access_token.
It’s a best practice to request and receive an access_token before responding to the auth callback.
Before proceeding with the grant code authorization flow, it’s a best practice to validate the list of scopes to ensure that it matches the scopes currently configured in your app profile.
To generate an access_token for the merchant’s store, send a POST request to https://login.bigcommerce.com/oauth2/token. The request body contains a combination of query arguments from the auth callback and credentials from your app profile.
BigCommerce responds to the access_token request with JSON that contains a permanent access_token, among other information. Use this access_token to authenticate API requests the app makes on behalf of the store; see Authentication and Example Requests. To provide the most responsive app architecture and re-authentication checks, save all the response values.
After you save the access_token response body information, respond to the GET /auth callback with markup and assets to render in the store control panel. BigCommerce renders the response view inside an iFrame, so ensure that any JavaScript you send is scoped to avoid conflicts with the store control panel’s JavaScript.
If you do not respond, the merchant will be left looking at a blank screen and will not be able to interact with your app.
RFC 6749 (tools.ietf.org) discusses security considerations, recommendations, and requirements. The following are some requirements and recommendations applicable to apps:
For additional details, see Security Considerations in RFC 6749 (tools.ietf.org). For a list of the top web application security risks and best practices for avoiding them, see OWASP Top Ten (owasp.org).
The following BigCommerce API clients expose helper methods for BigCommerce’s code grant authorization flow:
access_tokensigned_payload_jwtaccess_tokensigned_payload_jwtaccess_tokenaccess_token