Hi,
It looks like the Shopify OAuth provider is not repeating the state parameter from the auth request. From my server logs, I redirect the user:
Redirected to https://<my_shop>.myshopify.com/admin/oauth//authorize?scope=read_orders%2Cwrite_orders&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Foauth%2Fcallback&state=<...>&client_id=<my_client_id>
but the callback is missing the state parameter:
Started GET "/oauth/callback?code=<code>&shop=<my_shop.myshopify.com>×tamp=1407550161&signature=<...>
so I can't maintain state (http://tools.ietf.org/html/rfc6749#section-4.1.1).
I've worked around this for now by storing the state in the session cookie, but thought I'd bring this up.
D.