Connecting your own identity provider to customer accounts
You can connect your own OpenID Connect (OIDC) compliant identity provider with customer accounts to provide your customers with a consistent login experience across your platforms.
After you connect your own identity provider, customers will sign in to their account on your store using single sign-on through your identity provider. This replaces the default Shopify customer login experience.
While you can connect multiple identity providers to Shopify, you can only activate one identity provider at a time on your online store.
On this page
Requirements for identity providers
To integrate with your Shopify store, the identity provider that you connect to must meet the following requirements:
- The identity provider supports the OAuth 2.0 authorization code flow.
- The identity provider supports the Proof Key for Code Exchange (PKCE) for public clients.
- The identity provider is compliant with the OpenID Connect (OIDC) standard for authentication.
- The identity provider supports email as the unique identifier for users, and email verification is part of the registration process.
The identity provider that you connect to must also support the following endpoints:
Required endpoint | Example domain and path | Specifications |
---|---|---|
Authorization | https://auth.provider.com/authorize | RFC 6749 Section 4.1 |
Token | https://auth.provider.com/token | RFC 6749 Section 4.1.3 and RFC 6749 Section 6 |
JWKS | https://auth.provider.com/.well-known/jwks.jsn | RFC 7517 Section 5 |
Discovery | https://auth.provider.com/.well-known/openid-configuration | OpenID Discovery 1.0 |
If you aren't sure whether an identity provider meets the requirements, then review the documentation provided by the identity provider, or contact your identity provider for support.
Mobile requirements
If your store has a mobile app, then the identity provider's Authorization endpoint must support the following parameters:
-
code_challenge
: Verifies that the client requesting the token is the same client that initiated the request. -
code_challenge_method
: This endpoint must be set toS256
.
Connect customer accounts to your own identity provider
To connect to your own identity provider, you need to complete the following tasks in order:
- Connect to an identity provider in the Customer accounts settings
- Configure settings in your identity provider dashboard
- Complete your identity provider connection in your Shopify admin
Step 1: Connect to an identity provider
From your Shopify admin, go to Settings > Customer accounts.
In the Identity provider section, click Manage.
Click Connect to provider.
Enter an Identity provider name for your authentication service.
Keep this Connect to identity provider page open so that you can copy the Callback URL and Logout URLs from the Setup configurations section as you configure your identity provider settings.
Step 2: Configure your identity provider settings
After you complete the steps in your Shopify admin to connect to an identity provider, you need to configure the following settings in your identity provider dashboard. Set up steps vary depending on the provider that you're connecting to. Contact your identity provider for support with any setup steps in your identity provider dashboard.
Steps:
- In a separate browser tab, open your identity provider dashboard.
-
Register your application: Create a confidential application in your identity provider dashboard, and then obtain the
client_id
andclient_secret
. - Configure the redirect and logout URLs: In your identity provider dashboard, enter the Callback URL and Logout URLs that are provided in the Setup configurations of the Connect to your identity page in your Shopify admin.
-
Define scopes: In your identity provider dashboard, ensure that the scopes include
email
andopenid
. -
Set up endpoints: Ensure that the following endpoints are set up in your identity provider dashboard:
- Authorization
- Token
- JWKS
- Discovery: Depending on your identity provider, the Discovery endpoint might have a different name, such as Configuration, or Well-Known Configuration.
-
Locate your identity provider's post-logout redirect URI parameter. Depending on your identity provider, this might be named the
post_logout_redirect_uri
,logout_uri
, orreturnTo
. - Keep this page open in a browser tab to refer to as you complete your identity provider connection.
Step 3: Complete your identity provider connection
After you configure your identity provider settings in your identity provider dashboard, you need to return to your Shopify admin to complete your connection.
Steps:
- Return to the Connect to identity provider page in your Shopify admin.
- In the Application info section, fill in the required information as it displays in your identity provider settings.
- Click Save.
- Click Test connection, and then test that your identity provider's authentication redirects to your customer accounts. If you've recently logged into your customer account on your online store, then you might need to log out and then log back in to test the new login flow.
- After you test your connection, click Activate.
After you activate your new identity provider, an Active badge displays next to your new identity provider name in the Identity provider section of your Customer accounts settings.
Revert back to Shopify as the default identity provider
You can change your identity provider back to the default customer login experience at any time.
Steps:
From your Shopify admin, go to Settings > Customer accounts.
In the Identity provider section, click Manage.
In the Default identity provider drop-down menu, select Activate.
After you activate your default identity provider, an Active badge displays next to the default identity provider in the Identity provider section of your Customer accounts settings.
Managing customer data
If a customer requests that their personal information is removed from your Shopify store, then you can erase a customer's personal data from your Shopify admin.
If you've connected your own identity provider, then you also need to remove any relevant customer data from your provider dashboard. For more information, refer to your identity provider's documentation about customer data erasure.
Additional resources
To learn more about OpenID Connect (OIDC) compliant identity providers, review the following third-party resources: