Available to Shopify Plus merchants, Multipass is an industry-standard mechanism for implementing single sign-on (SSO) between a Shopify store and a third-party service.
The Shopify Multipass mechanism makes use of a secret (string
) to generate a valid (encrypted) Multipass login token. The required secret can be procured from the Shopify admin portal (after enabling Multipass).
This .NET implementation of Shopify Multipass token generation endeavours to align as closely as possible to the official implementation guidelines provided in the Shopify developer documentation.
In the case of this package, after instantiating ShopifyMultipass
with the required secret
and domain
(see Usage for more information), the secret is used to derive two cryptographic keys — one for encryption and one for signing.
This key derivation is done through the use of the SHA-256 hash function (the first 128 bit are used as encryption key and the last 128 bit are used as signature key). The encryption provides confidentiality. It makes sure that no one can read the customer data. As encryption cipher, we use the AES algorithm (128 bit key length, CBC mode of operation, random initialization vector).
Install-Package Shopify.Multipass
// Instantiation. Prepares cryptographic keys for Multipass login token genetation.
var multipass = new ShopifyMultipass.ShopifyMultipass(secret, domain);
// URL generation. This generates the required Multipass login token and appends it to the provided domain.
var url = multipass.GenerateToken(customerJson);