Skip to main content

Sign in with a third-party identity provider

Sign in with Shop provides a secure way for users with existing Shop accounts to authenticate on your platform. Use OpenID Connect (OIDC) to connect Shop to a third-party identity platform, such as Auth0, Ping Identity, AWS Cognito, or another OIDC-compatible provider.

This guide is for external login pages hosted by a third-party identity provider. If you host your own login page, then follow Sign in with Shop instead.

Developer preview

The Shop platform is in early access. Features and APIs might change before general availability.

Anchor to What you'll learnWhat you'll learn

In this guide, you'll learn how to:

  • Create a Shop app in the Dev Dashboard and get credentials.
  • Configure OIDC endpoints and scopes in a third-party identity platform.
  • Apply provider-specific settings for Auth0, Ping Identity, AWS Cognito, and other OIDC-compatible providers.
  • Verify that your identity provider can complete the Sign in with Shop flow.

Anchor to RequirementsRequirements

  • A Shop app with a client ID and client secret.
  • A third-party identity platform, such as Auth0, Ping Identity, AWS Cognito, or another OIDC-compatible provider.
  • Admin access to configure your third-party identity platform.
  • The callback URL from your identity provider.
  • Familiarity with OpenID Connect and the authentication flow you're implementing.

Anchor to Step 1: Create and configure your appStep 1: Create and configure your app

Create a Shop app in the Dev Dashboard to get the credentials that your identity provider uses. The app's redirect URLs must include the callback URL from your identity provider.

  1. Follow Create an app to create a Shop app and release a version.
  2. In the app's redirect URLs, add the callback URL from your identity provider, such as Auth0, Ping Identity, or AWS Cognito. Refer to your provider's documentation for the callback URL format.
  3. Copy your client ID and client secret from the app's Settings page.

Use the client ID as the OIDC client ID in your identity provider. Keep the client secret server-side. Don't expose the client secret in browser code, analytics, or logs.

Anchor to Step 2: Configure your identity providerStep 2: Configure your identity provider

Add Shop as an OIDC provider in your identity platform.

Anchor to Auth0Auth0

Go to the Sign in with Shop listing on the Auth0 Marketplace, click Add Integration, and follow the installation guide. The Auth0 integration adds the Sign in with Shop option to Auth0 Universal Login, so you don't need to build your own button for that flow.

Anchor to Other platformsOther platforms

For Ping Identity, AWS Cognito, or another OIDC-compatible provider, follow your provider's instructions to add a social login or custom OIDC connection.

  1. Enter the client ID and client secret from your Shop app.

  2. Configure the following OIDC endpoints:

    EndpointURL
    Issuerhttps://accounts.shop.app
    Discoveryhttps://accounts.shop.app/.well-known/openid-configuration
    Authorizationhttps://accounts.shop.app/oauth/authorize
    Tokenhttps://accounts.shop.app/oauth/token
    UserInfohttps://accounts.shop.app/oauth/userinfo
    JWKShttps://accounts.shop.app/auth/jwks

    If your provider supports OIDC discovery, then you can use the discovery URL instead of entering each endpoint manually.

  3. Set the required scopes to openid email. Add profile only if your flow needs the user's name and picture.

  4. Enable Proof Key for Code Exchange (PKCE) with the S256 code challenge method.

  5. Add Sign in with Shop to your identity platform's login page or template.

Anchor to Step 3: Apply provider-specific settingsStep 3: Apply provider-specific settings

Some identity providers need extra configuration to return the claims that your app expects.

Anchor to Ping IdentityPing Identity

When you create the custom OIDC connection in Ping Identity, map the email attribute:

  • Email Address to providerAttributes.email.

Add the following application attribute mappings:

  • sub to User ID.
  • email to Email Address.
  • email_verified to a source attribute or expression that reflects whether the user verified the email address, such as $(user.emailVerified == true).

Don't hardcode email_verified to true unless your identity provider guarantees verified email ownership outside the Sign in with Shop flow.

Anchor to AWS CognitoAWS Cognito

When you add the OIDC identity provider, select Email as the required sign-in identifier and attribute.

Anchor to Other providersOther providers

Follow your provider's documentation for creating a custom OIDC integration. Confirm that you've configured the endpoints, scopes, callback URL, and required claims before you release the connection.

Anchor to Step 4: Verify the authentication flowStep 4: Verify the authentication flow

After you configure your identity provider, test the flow from the hosted login page.

  1. Start sign-in from your identity provider's login page.
  2. Confirm that the flow redirects to Shop and then back to your provider's callback URL.
  3. Confirm that the ID token or user info response includes the claims that your app needs, such as sub, email, and email_verified.
  4. Confirm that your app creates or updates the user's session after the provider completes the OIDC flow.

Anchor to Next stepsNext steps

  • If you host your own login page, then add Sign in with Shop using the Shop SDK login feature.
  • Review the full login feature reference for SDK options that apply to self-hosted login pages.
  • Use the lead capture feature to collect email addresses from users who aren't yet signed in.
Was this page helpful?