@7Spikes For step 4 described above, where Shopify is sending requests (specifically for embeeded apps) to your server without code (only hmac, shop, signature, timestamp) you need to do the OAuth dance again. If the user is already logged in to their store then the resulting redirects and latency are almost trasparent to the user.
This was discussed here (my last comment there addresses this point specifically):