Shopify Native

Shopify as Identity Provider

Let your Shopify customer accounts power sign-in for external apps — back-office tools, member portals, wholesale dashboards, and more — using industry-standard OpenID Connect (OIDC).

~10 min setup
OIDC / OAuth 2.0
Tag-based access control
No passwords to manage

How it works

When "Shopify as IdP" is enabled, SecurePie acts as an OIDC bridge between your external app and Shopify. Here is the flow:

  1. 1.A customer visits your external app and clicks "Sign in with Shopify".
  2. 2.Your app redirects to the SecurePie authorization endpoint with your Client ID.
  3. 3.SecurePie checks if the customer is already signed in to Shopify. If not, they are prompted to log in.
  4. 4.SecurePie verifies the customer matches your configured access rule (e.g., has the correct tags).
  5. 5.The customer is redirected back to your app with an authorization code.
  6. 6.Your app exchanges the code for an ID token and access token at the SecurePie token endpoint.
  7. 7.Your app reads the customer's identity from the ID token and creates or updates their session.

Before you begin

  • SecurePie SSO is installed on your Shopify store
  • You are on a plan that supports Shopify as IdP (Starter or above)
  • You have admin access to both Shopify and the external app you are connecting
  • Your external app has a fixed HTTPS callback / redirect URL

Setup Instructions

1

Open SecurePie SSO in your Shopify Admin

Navigate to the Shopify as IdP section inside the SecurePie SSO app.

  1. 1.Log in to your Shopify admin panel
  2. 2.Go to Apps → SecurePie SSO
  3. 3.In the left sidebar, click "Shopify as IdP"
  4. 4.You will see a list of any apps already connected to your store
2

Connect a New App

Register the external app that will use Shopify customer accounts for sign-in.

  1. 1.Click the "Connect a new app" button in the top right
  2. 2.Enter a friendly App Name — this is shown to your customers on the consent screen (e.g., "LifeRegen Backoffice")
  3. 3.Enter one or more Redirect URLs — these are the callback endpoints in your app that receive the login response. Enter each URL on a separate line. Must be HTTPS.
  4. 4.Choose a Customer access rule (see below)
  5. 5.Click "Connect"

The App Name appears on the login consent screen that customers see when they authorise access, so make it recognisable.

3

Choose Customer Access

Control which Shopify customers are allowed to sign in to the connected app.

  1. 1."Anyone with an account" — all signed-in customers can use this app. Best for public-facing portals.
  2. 2."Customers with ALL of these tags" — only customers who have every tag you specify. Useful for B2B or wholesale portals.
  3. 3."Customers with ANY of these tags" — customers who have at least one of the specified tags.
  4. 4."Customers without these tags" — customers who do NOT have the specified tags. Useful for blocking certain segments.

Tag-based rules are evaluated in real time against Shopify customer tags. Customers who do not match the rule will not see a sign-in button on the storefront.

4

Save Your Client Credentials

After clicking Connect, SecurePie immediately shows your Client ID and Client Secret.

  1. 1.Copy the Client ID — you will need this in your app's OIDC configuration
  2. 2.Copy the Client Secret right now — it is shown only once. If you lose it, generate a new one from the relying party's edit page.
  3. 3.Store both values in your app's environment variables or secret manager

Treat the Client Secret like a password. Never expose it in client-side code or public repositories.

Example
# Example .env for your application
OIDC_CLIENT_ID=your-client-id-here
OIDC_CLIENT_SECRET=your-client-secret-here
OIDC_ISSUER=https://sso.securepie.com
5

Configure OIDC Endpoints in Your App

Use the SecurePie OIDC endpoints shown on the credentials page to configure your auth library or middleware.

  1. 1.Copy the Discovery URL — most OIDC libraries accept a single discovery URL and auto-configure from it
  2. 2.Alternatively, enter each endpoint individually if your library requires it
Example
// SecurePie OIDC Endpoints
{
  "issuer":                 "https://sso.securepie.com",
  "discovery_url":          "https://sso.securepie.com/.well-known/openid-configuration",
  "authorization_endpoint": "https://sso.securepie.com/oauth/authorize",
  "token_endpoint":         "https://sso.securepie.com/oauth/token",
  "userinfo_endpoint":      "https://sso.securepie.com/oauth/userinfo",
  "jwks_uri":               "https://sso.securepie.com/.well-known/jwks.json",
  "end_session_endpoint":   "https://sso.securepie.com/oauth/logout",
  "revocation_endpoint":    "https://sso.securepie.com/oauth/revoke"
}
6

Implement the OIDC Flow in Your App

Configure your application to initiate the OIDC Authorization Code flow.

  1. 1.Set the redirect_uri to one of the Redirect URLs you registered in Step 2
  2. 2.Request the openid scope at minimum — add profile and email to receive name and email claims
  3. 3.On callback, exchange the authorization code for tokens at the token endpoint
  4. 4.Validate the ID token signature using the JWKS URI
  5. 5.Read the sub claim as the unique customer identifier
Example
// Example using a generic OIDC client (Node.js / next-auth)
import NextAuth from "next-auth";

export default NextAuth({
  providers: [
    {
      id: "securepie",
      name: "Sign in with Shopify",
      type: "oauth",
      issuer: "https://sso.securepie.com",
      wellKnown: "https://sso.securepie.com/.well-known/openid-configuration",
      clientId: process.env.OIDC_CLIENT_ID,
      clientSecret: process.env.OIDC_CLIENT_SECRET,
      authorization: { params: { scope: "openid profile email" } },
      idToken: true,
      checks: ["pkce", "state"],
      profile(profile) {
        return {
          id: profile.sub,
          name: profile.name,
          email: profile.email,
          image: null,
        };
      },
    },
  ],
});
7

(Optional) Add Storefront Sign-In Button

Optionally surface a sign-in button on your Shopify storefront that routes customers directly into the connected app via SSO.

  1. 1.Copy the Storefront connect URL template shown on the credentials page
  2. 2.Replace {rp_id} with your actual relying party ID from the Client ID field
  3. 3.In your Shopify theme, find the existing <a> tag you want to link to your app
  4. 4.Add the data attribute shown: data-liferegen-rp-name="your app name"
  5. 5.SecurePie's theme script will automatically rewrite the link and hide it for customers who don't match your access rule

If you skip this step, customers will see a floating card on the storefront instead. Adding the data attribute gives you full control over the button placement and appearance.

Example
<!-- Add this attribute to your existing storefront button or link -->
<a href="https://your-app.com/login" data-liferegen-rp-name="your app name">
  Sign In to Backoffice
</a>

<!-- SecurePie rewrites this to:
     https://sso.securepie.com/api/proxy/connect/{rp_id}
     and hides it for customers who don't match the access rule -->

OIDC Endpoint Reference

These are the fixed SecurePie endpoints. Paste them directly into your OIDC library configuration. Most libraries only need the Discovery URL — the rest are auto-discovered from it.

Issuerhttps://sso.securepie.com
Discovery URLhttps://sso.securepie.com/.well-known/openid-configuration
Authorization endpointhttps://sso.securepie.com/oauth/authorize
Token endpointhttps://sso.securepie.com/oauth/token
Userinfo endpointhttps://sso.securepie.com/oauth/userinfo
JWKS URIhttps://sso.securepie.com/.well-known/jwks.json
End sessionhttps://sso.securepie.com/oauth/logout
Revocationhttps://sso.securepie.com/oauth/revoke

ID Token Claims

The ID token returned by SecurePie includes standard OIDC claims populated from the Shopify customer record.

ClaimTypeDescription
substringUnique customer ID (Shopify GID). Use this as the stable user identifier in your app.
emailstringCustomer email address (requires email scope).
namestringFull name — first name + last name from Shopify customer record.
given_namestringCustomer first name.
family_namestringCustomer last name.
issstringToken issuer — always https://sso.securepie.com
audstringYour Client ID.
expnumberToken expiry timestamp (Unix).
iatnumberToken issued-at timestamp (Unix).

Common Issues

redirect_uri_mismatch error

The redirect URI sent by your app must exactly match one of the URLs registered in SecurePie — including trailing slashes and protocol (https). Double-check the value in your OIDC client configuration.

Customer sees "access denied" after login

The customer logged in successfully but does not match the Customer Access rule for this relying party. Review the tag requirements and confirm the customer has the correct Shopify customer tags applied.

Client Secret is missing or lost

The Client Secret is only displayed once, immediately after creation. If you missed it, go to Shopify as IdP, click Edit on the relying party, and generate a new secret. Update the secret in your app environment variables.

ID token signature validation fails

Ensure your OIDC library is fetching the public keys from the JWKS URI (https://sso.securepie.com/.well-known/jwks.json) and not using a hardcoded key. Keys are rotated periodically.

Login works locally but fails in production

Make sure your production Redirect URL is registered in SecurePie. You can register multiple redirect URLs (one per line) to support both local development and production environments.

Need Help?

If you run into issues setting up the integration, our support team is here to help. We can assist with OIDC library configuration, custom access rules, and storefront theme edits.

Contact SupportBack to Integrations