Skip to content Skip to sidebar Skip to footer
Inicio / Oauth Flow Failed. Verify the Configurations and Try Again.

Oauth Flow Failed. Verify the Configurations and Try Again.

Publicar un comentario

This article describes an outdated arroyo to Slack apps. New Slack apps act independently of a user token. Build a bot user powered by simply the specific permissions it needs. Bank check out new Slack apps now.

OAuth 2.0 is a protocol that lets your app asking potency to private details in a user's Slack business relationship without getting their password. Information technology'south besides the vehicle by which Slack apps are installed on a team.

Your app asks for specific permission scopes and is rewarded with access tokens upon a user'southward approval.

You'll need to register your app before getting started. A registered app is assigned a unique Customer ID and Client Clandestine which will be used in the OAuth flow. The Customer Secret should not be shared.

The easiest style to enable workspaces to install your app is with the Add to Slack button.

Sign in with Slack is the all-time style to log private members into your application.

  • Obtaining access tokens with OAuth 2.0
  • Bot user tokens
  • Storing tokens securely
  • Using access tokens
  • Setting upwards your Redirect URL
  • Treatment multiple authorizations
  • Revoking tokens
  • Appendix: creating a archetype Slack app

The OAuth Flow

Slack uses OAuth 2.0'south authority lawmaking grant flow to event access tokens on behalf of users.

Negotiating tokens with Slack's OAuth 2.0 authorization flow

The OAuth flow is your cardinal to unlocking access tokens. There'south no path to programatically create (or remember) app access tokens without a user'southward input.

Your web or mobile app should redirect users to the following URL:

https://slack.com/oauth/authorize

The following values should be passed equally Go parameters:

  • client_id - issued when you created your app (required)
  • telescopic - permissions to request (meet beneath) (required)
  • redirect_uri - URL to redirect back to (see below) (optional)
  • country - unique string to be passed back upon completion (optional)
  • team - Slack squad ID of a workspace to effort to restrict to (optional)

The scope parameter is a space-separated list of OAuth scopes, indicating which parts of the Slack user's business relationship you'd like your app to be able to admission. The complete list of scopes can be found here.

The state parameter should be used to avoid forgery attacks by passing in a value that's unique to the user you're authenticating and checking it when auth completes.

Notation: Redirect URLs and URIs may not incorporate an ballast (#).

Streamline this pace farther with a Straight Install URL.

How the team parameter behaves

When a valid squad ID is passed to team and the authenticating user is already signed in to that workspace, passing this parameter ensures the user volition auth confronting that workspace.

If the user is non signed in all the same, the user volition exist asked to specify a workspace to sign in to. That workspace will then be used as they complete the say-so menstruation, regardless of whatever squad parameter you provided when the period began.

If yous omit the optional team parameter, the user will be immune to cull which workspace they are authenticating against.

For the all-time user experience, use the Add to Slack push button to direct users to approve your application for access and Sign in with Slack to log users in.

Step ii - Users are redirected to your server with a verification lawmaking

If the user authorizes your app, Slack will redirect back to your specified redirect_uri with a temporary code in a code GET parameter, equally well as a state parameter if y'all provided 1 in the previous pace. If the states don't lucifer, the request may have been created by a third party and you should abort the process.

Dominance codes may simply be exchanged once and expire 10 minutes after issuance.

Stride 3 - Exchanging a verification lawmaking for an access token

If all is well, commutation the dominance code for an access token using the oauth.access API method (method documentation).

https://slack.com/api/oauth.admission

  • client_id - issued when yous created your app (required)
  • client_secret - issued when you created your app (required)
  • code - a temporary authorisation code (required)
  • redirect_uri - must friction match the originally submitted URI (if one was sent)

You'll receive a JSON response containing an access_token (amidst other details):

          {     "access_token": "xoxp-23984754863-2348975623103",     "telescopic": "read" }

Access tokens for all apps are too known every bit bearer tokens. See token types for an overview of all the kinds of tokens involved in the Slack platform.

You can so use this token to call API methods on behalf of the user. The token will go along functioning until the installing user either revokes the token and/or uninstalls your application.

Slack apps can be installed multiple times by the aforementioned user and additional users on the same workspace. Your app is considered "installed" as long every bit one of these tokens is still valid.

Please notation that the user and bot admission tokens awarded to Slack apps practise not expire.

This is an opportunity to go users back to piece of work by redirecting them to deep links within Slack.

Bot user access tokens

If your Slack app includes a bot user, upon approval the JSON response will contain an additional node containing an access token to exist specifically used for your bot user, within the context of the approving workspace.

When you connect to rtm.connect or utilize Spider web API methods on behalf of your bot user, you should use this bot user access token instead of the top-level access token granted to your awarding.

Here'southward a more verbose example JSON response including a Bot user access token:

          {     "access_token": "xoxp-XXXXXXXX-XXXXXXXX-XXXXX",     "scope": "incoming-webhook,commands,bot",     "team_name": "Team Installing Your Hook",     "team_id": "XXXXXXXXXX",     "incoming_webhook": {         "url": "https://hooks.slack.com/TXXXXX/BXXXXX/XXXXXXXXXX",         "aqueduct": "#aqueduct-information technology-will-post-to",         "configuration_url": "https://teamname.slack.com/services/BXXXXX"     },     "bot":{         "bot_user_id":"UTTTTTTTTTTR",         "bot_access_token":"xoxb-XXXXXXXXXXXX-TTTTTTTTTTTTTT"     } }

Within this response, the bot node contains two fields related to your bot user: bot_user_id and bot_access_token. Bot access tokens e'er brainstorm with xoxb.

Bot user tokens may exist revoked by all installing users having uninstalled your Slack app from their workspace.

Secure your bot user tokens, as with all tokens and credentials. Do non share tokens with users or anyone else. Bot user tokens have particularly expansive capabilities non afforded to typical user tokens issued on behalf of members.

Pace 3a - Denied Requests

If the user denies your request, Slack redirects back to your redirect_uri with an fault parameter.

          http://yourapp.com/oauth?   error=access_denied

Applications should handle this condition appropriately.

Storing tokens and credentials

Shop your application'southward credentials and user tokens with intendance. Read our article on safely storing credentials.

Restrict Web API access to simply IP addresses you lot trust by whitelisting specific IP addresses.

Using access tokens

The tokens awarded to your app can be used in requests to the Web API.

Many different types of tokens are used on the Slack platform. Meet our index of token types for a tour.

The best way to communicate your access tokens, likewise known as bearer tokens, is past presenting them in a request's Authority HTTP header:

          Become /api/conversations.list?limit=50 Authorization: Bearer xoxb-1234-abcdefgh

This approach is required when using application/json with a write method.

Alternatively, you lot may transport the token as a querystring or Post trunk attribute of the application/10-world wide web-form-urlencoded multifariousness:

In a query cord:

          Get /api/conversations.list?limit=50&token=xoxb-1234-abcdefgh

Or a Post trunk:

          Mail /api/conversations.listing Content-type: application/10-www-form-urlencoded token=xoxb-1234-abcdefgh&limit=50

Redirect URIs

The redirect_uri parameter is optional. If left out, Slack volition redirect users to the callback URL configured in your app's settings. If provided, the redirect URL'south host and port must exactly lucifer the callback URL. The redirect URL'due south path must reference a subdirectory of the callback URL.

          CALLBACK: http://example.com/path  GOOD: https://example.com/path GOOD: http://instance.com/path/subdir/other BAD:  http://example.com/bar BAD:  http://example.com/ BAD:  http://case.com:8080/path BAD:  http://oauth.example.com:8080/path BAD:  http://case.org

Handling Multiple Authorizations

Your awarding may ship a user through the OAuth flow multiple times.

Yous tin utilize this behavior to re-verify a user's identity or to retrieve a user'south access token again as needed. Y'all tin can besides employ it to upgrade an admission token's OAuth scopes.

If your awarding requires a bones set of permissions to role, but can utilize optional permissions for advanced functionality, requesting boosted scopes separately ensures that your awarding will have the access it needs to function without initially deterring users from blessing it.

When your user is ready to indulge themselves in features requiring boosted permissions, send them through the OAuth menstruum again, this time requesting the additional scopes you lot demand.

For example, if your app uses Slack to sign in to your service, y'all may want to restrict your initial OAuth asking to but the place telescopic. If that same app also has an optional characteristic to import files from Slack using files:read, you tin initiate the application approving process again, inside context of the user's action, then they understand why the additional permissions are being requested.

This ensures that your app retains disquisitional functionality (signing in to your app) without requiring optional permissions (access to the user's files) and also provides better context for the user.

Appending Scopes

When you initially send a user through the OAuth flow, you receive a token that has the set up of scopes you requested. Whatsoever subsequent time(s) y'all send that same user through the OAuth flow, any new scopes you lot asking volition be added to that initial set up.

For instance, if you lot initially request channels:read and channels:write from a user, the initial token will only be scoped to channels:read channels:write (plus identify, which is automatically included in whatsoever OAuth grant for a classic Slack app). If you send that same user through a 2d OAuth flow, this time requesting files:write, the resulting token will have the new scope added to the previous set: channels:read channels:write files:write identify.

This process can be repeated any number of times, and each scope y'all request is additive to the scopes y'all've already been awarded. It is not possible to downgrade an access token's scopes.

As you make Web API requests, a X-OAuth-Scopes HTTP header will be returned with every response indicating which scopes the calling token currently has:

          X-OAuth-Scopes: identity.basic,reactions:read

Verifying user identity without installing anything

Use Sign in with Slack instead when you merely desire to log members in and verify their identity without having them "install" something. If you need to ask for specific authorisation scopes from a user, yous can switch to the Add to Slack catamenia to request them. Boosted scopes awarded there will be appended to the same OAuth token for that user.

Revoking tokens and uninstalling apps

For workspace apps, use apps.uninstall to uninstall an app completely, revoking all tokens.

If you want to dispose of a unmarried OAuth access token, use auth.revoke. This includes both refresh tokens and access tokens for workspace apps. Information technology works with tokens from Sign in with Slack also every bit from Add to Slack.

For classic Slack apps, revoking the last token associated betwixt your awarding and a workspace finer uninstalls the app for that workspace.

Revoking tokens and asking a user to cosign once more is the best way to showtime over and incrementally add more limited OAuth scopes to a token.

Appendix: creating a classic Slack app

If you still demand to create a classic Slack app, either to utilise the rtm.connect method, or for any other reason, click here:

Create a classic Slack app

Yous can then continue to distribute it via the first version of OAuth two.0, the one described on this page.

moralesatten1944.blogspot.com

Source: https://api.slack.com/docs/oauth

Publicar un comentario for "Oauth Flow Failed. Verify the Configurations and Try Again."