This page was printed on Jan 23, 2019. For the current version, visit https://help.shopify.com/en/api/embedded-apps/embedded-app-sdk/oauth.
Since the application is loaded inside an iframe, it is critical that the initial OAuth redirect to Shopify occurs at the parent level, escaped from the iframe. Shopify returns the X-Frame-Options=DENY header and prevents any Shopify admin pages from being loaded inside an iframe. The Embedded App SDK provides a method that can be used to perform a redirect within the parent window.