3

I’m working on a Slack app that a user can install to a workspace using Slack’s Oauth flow. After installing and configuring the app, I’m using Oauth to allow the user to log in and make changes to the app configuration.

The flow for a new user uses the "Add to Slack" button which asks the user to agree to allow bot and identity.* scopes after which my app retrieves and stores bot and user tokens.

Now I'd like to allow the same user to sign in using the "Sign in with Slack" Oauth flow. Per the Slack documentation, the "Sign in with Slack" flow allows just this using the same /oauth/authorize endpoint, but requests only one of the identity.* scopes (I'm using identity.basic):

<a href="https://slack.com/oauth/authorize?scope=identity.basic&client_id=REDACTED">Sign in with Slack</a>

The user has already authorized my app for bot and identity.* scopes on the initial app install, but surprisingly he/she is re-prompted to confirm allowing my app identity.* scopes on each "Log in with Slack" action.

The slack documentation implies that subsequent login attempts will result in an automatic redirect:

After a user clicks your Sign in with Slack button, their web browser should arrive on Slack's servers.

Your application will wait patiently while the user handles some business or Slack just sends them on their way back to your redirect URL.

(emphasis mine)

However, Slack always requests that the user (re-)authorize my app for identity.* scopes. How can I log users in using Slack with a one-click flow?

Update: Response from Slack

I reached out to the Slack team and got this response:

Unfortunately it looks like we'll need to update the documentation as for the moment what's described there is not accurate. Particularly:

Returning users won’t be distracted by unnecessary approvals, we’ll send them back to your site, service, or app as fast as we can!

Due to a change we made to our authentication flow where we now allow users to select what workspace they're authing with, we present them with the "scopes" or "permissions" page again. This is definitely something we should consider make better but for the time being it's the expected behaviour and we're going to revise the documentation to eflect that.

Sorry for the bad news.

As of 11/17/19 the Sign in with Slack documentation has not been updated.

Nate Vaughan
  • 3,471
  • 4
  • 29
  • 47

1 Answers1

-1

For your requirement to implement a web page that is linked to your Slack app with authenticated Slack user you have two alternatives:

Sign-in with Slack

One approach would be to use Sign-in with Slack to authenticate users for your web page. This allows you to clearly authenticate users. However, the drawback is that users would have to repeat the login process every time they open this web page again. This can be somewhat mitigated by using cookies to keep users logged in between browser restarts until they manually log out of the web app.

Note that this auth process is independent from the user logging into his Slack workspace.

Own authentication

Alternatively you can let users directly open your web app from Slack, e.g. by clicking a link button you provide. This URL needs to include information that would allow your web app to get the users current context, e.g. his Slack and User ID.

Note that this URL can be obtainable and potentially misused by a user, so you would need to add measure to protect it e.g. by encrypting the IDs or by adding a secure hash or a one time token ...

Erik Kalkoken
  • 30,467
  • 8
  • 79
  • 114
  • Absolutely my app is using cookies to identify users while they are logged in. What about after they have logged out? My app dutifully clears the cookie until they log back in. I see you have already answered a couple of identical questions: https://stackoverflow.com/questions/37193395/slack-oauth-authorize-api-call?rq=1 https://stackoverflow.com/questions/46094760/sign-in-with-slack-keeps-prompting-user-for-permission-every-time?rq=1 The thing you seem to be missing is that apps often need to find out who a user is after they have logged out, but do not need new permissions. – Nate Vaughan Oct 21 '19 at 13:17
  • I think I understand your requirement perfectly. If your app wants to remember a user (e.g. after he restarted the browser the next day) you don't want to clear the cookies. However, after a user has manually logged out you should NOT remember him. – Erik Kalkoken Oct 21 '19 at 15:16
  • This seams to describe the process pretty thoroughly: https://stackoverflow.com/questions/17769011/how-does-cookie-based-authentication-work – Erik Kalkoken Oct 21 '19 at 15:19
  • Absolutely we should not remember him after he is logged out. That is why we need a flow to log him back in. Preferably without asking him if he wants to allow my app to access his identity, since he has already authorized my app to access his identity. This is how every other Oauth provider works, and allows one-click login. – Nate Vaughan Oct 21 '19 at 17:44
  • Sure. But as I said in my answer: This is up to you to implement, e.g. by using cookies. Slack does not provide that feature for you. – Erik Kalkoken Oct 21 '19 at 17:57
  • Please tell me how you would allow a user to logout and log back in again without requiring him or her to reauthorize. – Nate Vaughan Oct 21 '19 at 18:14
  • BTW I spotted a flaw in your app design. See my extended answer. About To how to implement the other thing: It's thoroughly explained in the link I provided above. – Erik Kalkoken Oct 21 '19 at 19:04
  • My question didn't state this clearly, but it's the "Log in with Slack" flow that is always re-prompting the user to authorize `identity.*` scopes, not the "Add to Slack" flow. I've updated my original question to clarify that my app design actually follows your extended recommendation. So it seems you are as surprised as I am that your recommendation does not result in an automagic, 1-click redirect. My question remains: how would you would allow a user to logout and log back in again without requiring him or her to reauthorize? – Nate Vaughan Oct 22 '19 at 01:22
  • Thanks for the update of your question. Glad we are on the same page with regards to the 2nd part of your auth flow. I added some more details to my answer - hope that helps clarify the solution. – Erik Kalkoken Oct 22 '19 at 11:00
  • The process you described in your extended answer turns a logged-out user into a pseudo logged-in user and is a TERRIBLE idea. What if a user logs out of my app, logs out of slack, and logs into slack as a different user, and returns to my app? The process you describe will leave him or her only able to log in as the account with the token stored in the cookie. What if it is a shared machine? What if she/he clears his cookies or his or her browser settings do? Logout means "forget who this user is," not "pretend to forget." – Nate Vaughan Oct 22 '19 at 13:55
  • I said before that I would not do this (e.g. "However, after a user has manually logged out you should NOT remember him"), but you wanted a solution for a 1-click-login-in, so here it is. Take it or leave it. – Erik Kalkoken Oct 22 '19 at 14:38
  • Your solution is not a one-click login. It's a never-log-out. One-click login would allow any user who is already signed into slack to then sign into a web app using Oauth. Other Oauth (Google, Facebook, Github) providers provide one-click login by automatically forwarding the user to the redirect_uri if the scopes requested have already been authorized. This allows the app to then verify the identity of the Slack (or Github/Facebook/Google) user in a seamless redirect flow. – Nate Vaughan Oct 22 '19 at 15:36