Let's say you are the owner of a successful website forum. All of your users must log in to the forum to contribute. Members of your forum can then purchase a forum t-shirt through your Shopify store. Unfortunately, your users have to log in to the forum first and then log in to your Shopify store before they can purchase a t-shirt.
Multipass login is for store owners who have a separate website and a Shopify store. It redirects users from the website to the Shopify store and seamlessly logs them in with the same email address they used to sign up for the original website. If no account with that email address exists yet, one is created. There is no need to synchronize any customer databases.
Shopify PlusThe Multipass login feature is available to Shopify Plus merchants only.
1. Enable Multipass login through your shop admin
Log in to your shop admin and go to the Settings > Checkout page. Scroll down to the Customer Accounts section and ensure that you have either Accounts are optional selected or Accounts are required.
Select Enable Multipass. Once enabled, a secret will be shared with you. You will need the secret in order to generate tokens to log your customers into your Shopify store. Make sure you keep your secret private.
2. Encode your customer information using JSON
The customer information is represented as a hash which must contain at least the email address of the customer and a current timestamp (in ISO8601 encoding). You can also include the customer's first name, last name or several shipping addresses. Optionally, you can include an IP address of the customer's current browser session, that makes the token valid only for requests originating from this IP address.A minimal example, containing all required fields, might look like this:
You can attribute tags to your customer by setting "tag_string" to a list of comma separated one-word values. These tags will override any tags that you may have already attributed to this customer.
If you want your users to see a specific page of your Shopify store, you can use the "return_to" field for that.
Shopify uses email addresses as unique identifiers for customers of a shop. When registering customers in Shopify, the merchant must set the unique identifier in the "identifier" field in the following cases:
- The site uses other identifiers (such as usernames)
- Two different users of the site might be registered with the same email address
If the email address is always unique, setting the "identifier" field isn't required.
Only one Shopify account can use a specific email address. Registering a second customer with the same email address (even with a different "identifier") will result in an error.
3. Encrypt the JSON data using AES
To generate a valid multipass login token, you need the secret given to you in your Shopify admin. The secret is used to derive two cryptographic keys — one for encryption and one for signing. This key derivation is done through the use of the SHA-256 hash function (the first 128 bit are used as encryption key and the last 128 bit are used as signature key).
The encryption provides confidentiality. It makes sure that no one can read the customer data. As encryption cipher, we use the AES algorithm (128 bit key length, CBC mode of operation, random initialization vector).
4. Sign the encrypted data using HMAC
The signature (also called message authentication code) provides authenticity. It makes sure that the multipass token is authentic and hasn't been tampered with. We use the HMAC algorithm with a SHA-256 hash function and we sign the encrypted JSON data from step 3 (not the plaintext JSON data from step 2).
5. Base64 encode the binary data
The multipass login token now consists of the 128 bit initialization vector, a variable length ciphertext, and a 256 bit signature (in this order). This data is encoded using base64 (URL-safe variant, RFC 4648).
6. Redirect your customer to your Shopify store
Once you have the token, you should trigger a HTTP GET request to your Shopify store.
When the request is successful (e.g. the token is valid and not expired), the customer will be logged in to your Shopify store.
The multipass token is only valid within a very short timeframe and each token can only be used once. For those reasons, you should not generate tokens in advance for rendering them into your HTML sites. You should create a redirect URL which generates tokens on-the-fly when needed and then automatically redirects the browser.
The following shows a basic example implementation of the token generation in the Ruby language.
The following shows a basic example implementation of the token generation in PHP.