This page was printed on Nov 15, 2019. For the current version, visit https://help.shopify.com/en/api/embedded-apps/app-bridge/oauth.
Since embedded applications are loaded inside an iframe, it is critical that the initial OAuth redirect to Shopify occurs at the parent level, escaped from the iframe. Shopify returns the X-Frame-Options=DENY header and prevents any Shopify admin pages from being loaded inside an iframe. The Shopify App Bridge provides an action that can be used to perform a redirect within the parent window.
At the end of the authentication flow, the user will end up at the redirectUri you provided. It's highly recommended that you let App Bridge redirect the user back to Shopify. As part of the initialization process, App Bridge redirects the user if necessary to ensure your app is embedded in the Shopify admin.