惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Hacker News - Newest:
Hacker News - Newest: "LLM"
N
News and Events Feed by Topic
PCI Perspectives
PCI Perspectives
Help Net Security
Help Net Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
V2EX - 技术
V2EX - 技术
Google Online Security Blog
Google Online Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
P
Palo Alto Networks Blog
The Last Watchdog
The Last Watchdog
C
Cyber Attacks, Cyber Crime and Cyber Security
Security Latest
Security Latest
Application and Cybersecurity Blog
Application and Cybersecurity Blog
W
WeLiveSecurity
Cloudbric
Cloudbric
O
OpenAI News
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Webroot Blog
Webroot Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Schneier on Security
罗磊的独立博客
雷峰网
雷峰网
S
Security Affairs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
L
LINUX DO - 热门话题
NISL@THU
NISL@THU
量子位
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 【当耐特】
博客园 - Franky
S
Security @ Cisco Blogs
Project Zero
Project Zero
AI
AI
T
Troy Hunt's Blog
Latest news
Latest news
Simon Willison's Weblog
Simon Willison's Weblog
S
SegmentFault 最新的问题
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
T
Tailwind CSS Blog
The Cloudflare Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Scott Helme
Scott Helme
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Jina AI
Jina AI
I
Intezer
V
Visual Studio Blog
Cyberwarzone
Cyberwarzone
博客园 - 叶小钗

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Add Auth to Your Shopify Plus Storefront With Descope
Mrunank Pawar · 2026-05-29 · via DEV Community

This blog was originally published on Descope.

Shopify Plus empowers fast-growing brands with the digital infrastructure to scale quickly, offering powerful tools for store management, seamless checkout, and extensive customization. Its flexibility and extensibility make it a popular choice for all sizes of organization, including notable brands like Nestlé, Hasbro, and The Economist.

However, while Shopify excels at creating eye-catching storefronts and streamlining ecommerce ops, its limited authentication options force merchants into a difficult choice: accept higher cart abandonment from friction-heavy logins, or risk account takeovers from weaker security measures. By default, Shopify relies on simple email-password logins with limited support for modern features like passwordless login, multi-factor authentication (MFA), and enterprise SSO.

As of February 2026, Shopify Legacy Customer Accounts have been deprecated, further limiting built-in auth options. Now, companies running on Shopify may need to make adjustments to maintain (or add) secure, user-friendly auth functionality.

This blog covers everything you need to know about Shopify Auth in 2026:

  • How Shopify Plus auth has changed and why it matters
  • Why Descope is the ideal auth solution for Shopify Plus
  • How to set up Descope as an OIDC provider for Shopify
  • How Descope for Shopify impacts popular auth use cases
  • How to future-proof Shopify Plus auth after legacy deprecation

Shopify Plus authentication changes (and why they matter now)

Shopify is updating its customer accounts across the board. Now, all new stores must use the updated version of customer accounts. All legacy accounts will be updated, all legacy liquid templates will be locked and removed, and a full sunset date will be announced.

One of the biggest auth changes is that all new Customer Accounts will be passwordless and API-driven by default rather than relying on password-based logins.

New Customer Accounts will have the following native authentication options:

  • Email-based one-time passcodes (OTP)
  • Social login (e.g., Google, Facebook)
  • Shop login (a proprietary passwordless option)
  • Connecting an OAuth/OIDC Identity Provider (IdP)

Advanced capabilities like passkeys, enterprise SSO, and custom auth logic will require integrating an OAuth and/or OpenID Connect (OIDC) provider. Multipass is tied to legacy architecture and is already unsupported on new Customer Accounts.

Any store that has migrated off legacy has already lost Multipass functionality. Stores still on legacy accounts can continue using Multipass until the sunset date, but migration and Multipass are mutually exclusive. OAuth/OIDC is the replacement path for the extensibility that Multipass previously provided.

Teams with homegrown authentication systems will now face a difficult choice: They'll need to rebuild their systems to support OAuth/OIDC, or adopt an external IdP that can bridge Shopify and existing auth—without a full rewrite.

There's complexity involved in revamping systems from the ground up. For teams that choose this route, unifying auth across apps will be difficult under the new model.

Why Descope for Shopify Plus

Shopify's deprecation of legacy accounts is part of an overall upgrade to its auth infrastructure. The platform's built-in auth used to rely on basic, password-based logins—a high-friction method vulnerable to credential stuffing attacks.

This constraint can directly impact your bottom line through:

  • Higher cart abandonment: 42% of consumers said they'd abandoned a purchase because of a forgotten password.
  • Increased fraud risk: Passwords are inherently vulnerable, and with 78% of people reusing credentials on at least one account, much of the risk is out of your control.
  • Lost revenue: Customers who abandon their carts from auth friction don't convert. Similarly, forcing customers to create accounts can lead to drop-offs.
  • Limited cross-selling: Fragmented customer identity means more friction moving between multiple storefronts or sub-brands—and fewer cross-selling opportunities.

Shopify Plus offers modern auth options, but advanced use cases, like passkeys, SSO, and custom logic, still require an external provider.

Descope augments Shopify's basic auth with passkeys, advanced passwordless SSO, and unified identity across storefronts without heavy dev work. The benefits include reduced cart abandonment, increased retention, and better protection against fraudulent transactions.

With Descope as an OAuth and OIDC provider, you can leverage powerful auth without leaving the ecommerce framework of Shopify Plus.

Setting up Descope as an OIDC provider

To enhance auth on your Shopify Plus storefront, you can configure Descope as an OAuth and OIDC provider. This setup allows Shopify to delegate authentication to Descope, enabling features like passwordless login, social sign-ins, and multi-factor authentication (MFA) without disrupting the user experience. In this section, we'll walk through the steps to integrate Descope with Shopify Plus, ensuring a secure and smooth login process for your customers.

For a fully native experience, we recommend creating a new page on your Shopify store, and adding the Descope flow component to it. You will later configure this page to be your "Flow Hosting URL," so when a user logs in, the OIDC process will take them to this page.

Make sure not to link directly to this page anywhere on your store, as the authentication flow will only work when initiated using OIDC, and not when accessed directly.

First, create a new page in Shopify, and add custom liquid to the part of the page where you would like to put your authentication flow.

Fig: Creating a new page in Shopify

Then, in the custom liquid code field, add the following, making sure to replace <YOUR-PROJECT-ID> with your Descope Project ID, and <YOUR-FLOW-ID> with the ID of the Descope authentication flow you want to run:

<!DOCTYPE html>
<html>
<head>
<script src="https://descopecdn.com/npm/@descope/web-component@3.21.0/dist/index.js"></script>
<script src="https://descopecdn.com/npm/@descope/web-js-sdk@1.16.0/dist/index.umd.js"></script>
</head>

<body>
<p id="container"></p>

<script>
const sdk = Descope({ projectId: '<YOUR-PROJECT-ID>', baseUrl: 'https://api.descope.com', persistTokens: true, autoRefresh: true });

const sessionToken = sdk.getSessionToken()
var notValidToken
if (sessionToken) {
notValidToken = sdk.isJwtExpired(sessionToken)
}
if (!sessionToken || notValidToken) {
var container = document.getElementById('container');
container.innerHTML = '<descope-wc project-id="<YOUR-PROJECT-ID>" base-url="https://api.descope.com" flow-id="<YOUR-FLOW-ID>"></descope-wc>';
const wcElement = document.getElementsByTagName("descope-wc")[0];

const onSuccess = (e) => {
// You need to refresh the token here for auto refresh to work.
sdk.refresh();
};

const onError = (err) => {
// Print any errors to the console
console.log(err);
};

// Add event listeners for onSuccess and onError
wcElement.addEventListener('success', onSuccess)
wcElement.addEventListener('error', onError)
}
</script>
</body>
</html>

Adding the above code snippet should result in a page that resembles the image below.

Fig: After adding custom liquid

Now that we have a place to host the flow, we'll create an OIDC Application in Descope. Navigate to the Federated Apps tab of your Descope Console, and select +App. Select "Shopify", and click Create.

Fig: Creating an application

Now, under the Advanced tab, set the "Flow Hosting URL" to be the URL for the Shopify page you added the Descope flow component to.

You will use the configuration details from this new Shopify OIDC Application when setting up Descope as your Identity Provider in the Shopify console.

Next, create an access key on the Access Keys Page of the Descope Console. After generating the key, make sure to save its value to be used in the next step.

Fig: Generating an access key

Now, let's add Descope as the Identity Provider to your Shopify store. Within Shopify, navigate to Customer Accounts > Identity Provider > Manage. If you don't see this option, make sure you have a Shopify Plus account, and that Multipass is enabled if you are using Legacy customer accounts.

Select Connect to provider, and name the provider "Descope".

Now, enter the following fields into the application info configuration:

  • Well-known or discovery endpoint URL: This is the Discovery URL from the Descope Shopify Application
  • Client ID: Descope Project ID
  • Client Secret: The Access Key you just created
  • Additional scopes: add profile
  • Post-logout redirect URI parameter name: post_logout_redirect_uri

Fig: Filling out the application info configuration

After entering the Descope configuration details, Shopify allows you to test the configuration before activating Descope as the Identity Provider. You'll be able to experience the login flow as your users will on your site.

Fig: Testing the connection

Use case: magic link and passkeys

A seamless authentication experience can improve conversion rates and user satisfaction. With Descope, you can allow customers to log in using passwordless magic links or passkeys. This is especially important as adding an OAuth/OIDC provider is the only way to implement advanced auth methods with new Customer Accounts.

To add these features, we'll create a Descope flow with magic link and passkey authentication methods and change our OIDC application's flow hosting URL to point to our new flow.

Let's start out with a template from our flow library. Select the "Sign Up Or In - Biometrics/Magic Link" option.

Fig: Selecting the flow template

The "Create Flow" dialogue will appear. Hit Create to continue.

Fig: Creating the flow

Now, after creating the flow, we can change the the Flow ID in the custom liquid on our login page to "sign-up-or-in-biometrics-magic-link "

When we go back to our storefront's login, we will be directed to our new magic link and passkeys login flow instead.

Use case: A/B testing

Customer preferences and needs change rapidly, and it can be difficult to keep up with what actually resonates with your users. Experiment with your authentication and user journey flows using A/B testing to determine which authentication journeys truly work best for your users.

Fig: Creating an A/B testing flow

To set up A/B testing in your flow, first create a condition with an A/B testing key. This will send half of your users to a screen with magic link as the primary authentication method, and half to a screen with passkeys as the primary authentication method.

Fig: The A/B testing flow

You can then leverage Descope's flow analytics dashboard to see which method results in a higher user conversion rate, or the user activity dashboard to see conversion by authentication method, and adjust your flows accordingly.

Fig: Descope flow analytics dashboard

Use case: unified auth for multiple sites

If you have both a main website and a Shopify store on the same domain, maintaining a unified authentication system ensures a smooth user experience. For organizations, unified auth across sites reduces friction, allows better cross-sell, and creates a unified customer view.

However, the limitations of new Customer Accounts make it challenging to unify auth across apps—unless you integrate an OAuth/OIDC provider.

Descope can act as a centralized identity provider across both platforms.

You can configure your Descope project to make the refresh token available across the subdomains for both your website and store. When a user logs into either your main website or Shopify store, a refresh token is stored on the main domain. Then, when the user clicks the login button on the second website, they will be automatically signed in.

Fig: Omnichannel user journeys

To do so, simply set up Descope authentication for your main website using our flows or SDKs. Because you've already set up Shopify to use the same Descope project as the OIDC provider, users will be able to authenticate seamlessly across both platforms.

Future-proofing Shopify Plus auth after legacy deprecation

The deprecation of legacy accounts is part of Shopify's push toward more secure and frictionless auth. It's now an API-first customer identity system, with storefronts adopting the proprietary Customer Account API. However, in many cases, OAuth/OIDC-based extensibility will be the gold standard for streamlined auth flows.

Approaches previously used for extensibility, like liquid templates and Multipass, will be phased out alongside legacy accounts. Shops that relied on these should consider adopting an OAuth/OIDC provider to acclimate smoothly.

Looking ahead, advanced auth use cases will increasingly rely on external IdPs.

This shift is due in part to the strengths of OAuth/OIDC, but Shopify's native auth also has limitations that make external IdP provisions worth considering. Most importantly, there's no support for advanced auth flows, like SSO, passkeys, and unified identity across apps and sites. External IdPs are a long-term architecture solution for scalable ecommerce identity.

Improving auth for more conversions on Shopify Plus

The recent deprecation of Legacy accounts in Shopify Plus means that Shopify's native auth options are better than they used to be, but they still leave much to be desired.

Using Descope for your Shopify storefront authentication means going beyond Shopify's native options to reduce drop-offs, unify identity across properties, and deploy advanced auth without rebuilding from scratch. By integrating Descope as an OIDC provider, you can go beyond Shopify's basic authentication system to improve conversions and reduce drop-offs. Whether you're adding social login, passkeys, or a unified auth experience across your site and store, Descope's integration with Shopify Plus gives merchants a faster path to secure, conversion-friendly authentication.

Sign up for a Free Forever account with Descope and start building secure, scalable auth flows today. Have questions about advanced auth for Shopify Plus? Book time with our experts.

FAQs about Shopify Plus authentication

What authentication options does Shopify Plus support?

As of February 2026, new Customer Accounts in Shopify Plus have four main auth options: email OTP, social login, Shop login, and advanced auth flows through an OAuth/OIDC provider.

What is Shopify Multipass, and why is it being deprecated?

Shopify Multipass is a tool that allows for auth extensibility, enabling users to leverage other services' credentials to access a Shopify store. It's tied to legacy infrastructure and is already unsupported alongside legacy accounts. However, stores still on legacy accounts can continue using Multipass until the sunset date. New Customer Accounts will need to integrate an external OAuth/OIDC Identity Provider to access similar auth extensibility functionalities.

How do you add SSO to Shopify Plus?

To add SSO to Shopify Plus, you need to integrate an external Identity Provider, like Descope. Once fully integrated, you can configure an SSO (or other auth) flow seamlessly within Descope.

Can you use passkeys with Shopify Plus?

Yes, you can use passkeys and other advanced auth features with new Shopify Plus Customer Accounts, but only if you integrate an external OAuth/OIDC Identity Provider, like Descope.

Why use an OAuth provider like Descope for Shopify auth?

Integrating an OAuth provider like Descope for Shopify Auth allows you to add advanced auth features like enterprise SSO, passkeys, and custom authentication logic across connected apps.

How do you unify authentication across Shopify and other apps?

One way to unify auth across Shopify and other apps is to integrate Descope as an OAuth/OIDC provider and configure your project to make refresh tokens available across multiple domains.