Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for V2 Oauth API #35

Open
emilsoman opened this issue Dec 27, 2019 · 15 comments
Open

Support for V2 Oauth API #35

emilsoman opened this issue Dec 27, 2019 · 15 comments

Comments

@emilsoman
Copy link

Slack now allows apps to configure granular scopes for the bot token. This uses a new version of their oauth URLs and also changes the structure of the callback payload. More information here: https://api.slack.com/authentication/oauth-v2. If you upgrade to this version, it looks like you cannot go back to using the old version and you'll get a oauth_authorization_url_mismatch error.

To solve this (until the default oauth URLs in ueberauth_slack are changed):

  1. Override authorize_url and token_url in your config:
config :ueberauth, Ueberauth.Strategy.Slack.OAuth,
  client_id: System.get_env("SLACK_CLIENT_ID"),
  client_secret: System.get_env("SLACK_CLIENT_SECRET"),
  authorize_url: "https://slack.com/oauth/v2/authorize",
  token_url: "https://slack.com/api/oauth.v2.access"
  1. Change your callback function in AuthController to support the new payload structure. Compare the responses of https://api.slack.com/methods/oauth.access and https://api.slack.com/methods/oauth.v2.access to get an idea.
@doomspork
Copy link
Member

Hi @emilsoman, thanks for opening this issue, this should absolutely be on the radar! I also appreciate you documenting the workaround for others 😁

@scrogson what is the status of the oauth lib changes you had mentioned? Are we good to start to migration to that version of the oauth lib?

@emilsoman
Copy link
Author

Another related breaking change with the v2 API - if you don't use any "bot" related scope, for example when using the "Sign in with Slack" button using only identity related scopes, Slack doesn't send you any bot access token. Instead, it sends the user access token in a map nested under the key "authed_user" (see https://api.slack.com/methods/oauth.v2.access). This will cause an error in ueberauth_slack because it expects an :access_token to be present in the root level of the response (here's the old response: https://api.slack.com/methods/oauth.access).

I've fixed this in a fork to unblock my work: emilsoman@4b428e0. Do you want to take this change in? Let me know if this needs more changes please.

@acconrad
Copy link
Contributor

acconrad commented Apr 1, 2020

@doomspork we need to get this in because new apps are requiring OAuth v2 access and I can't log in anymore because I'm getting a oauth_authorization_url_mismatch error which, according to the documentation, says:

The OAuth flow was initiated on an incorrect version of the authorization url. The flow must be initiated via /oauth/v2/authorize

I am using @emilsoman 's code to get around this

@doomspork
Copy link
Member

@acconrad okay, do you need me to release a new version?

@acconrad
Copy link
Contributor

acconrad commented Apr 7, 2020

@doomspork yes that would be helpful!

@doomspork
Copy link
Member

@acconrad don't we need the change from @emilsoman? Are you opening a PR?

In the future it is best to ping the team and not just me directly, I can swamped at times.

@acconrad
Copy link
Contributor

acconrad commented Apr 7, 2020

can we merge that branch in?

@Hanspagh
Copy link
Contributor

Hanspagh commented Apr 8, 2020

@emilsoman can you open a pr, then we can get started on this

@ream88
Copy link
Contributor

ream88 commented Apr 20, 2020

I needed to change fetch_identity as well to get it working for me:

defp fetch_identity(conn, token) do
  scope_string = token.other_params["authed_user"]["scope"] || ""
  scopes = String.split(scope_string, ",")

  user_token = OAuth2.AccessToken.new(token.other_params["authed_user"])

  case "identity.basic" in scopes do
    false ->
      conn

    true ->
      case Ueberauth.Strategy.Slack.OAuth.get(user_token, "/users.identity") do
        {:ok, %OAuth2.Response{status_code: 401, body: _body}} ->
          set_errors!(conn, [error("token", "unauthorized")])

        {:ok, %OAuth2.Response{status_code: status_code, body: identity}}
        when status_code in 200..399 ->
          if identity["ok"] do
            put_private(conn, :slack_identity, identity)
          else
            set_errors!(conn, [error(identity["error"], identity["error"])])
          end

        {:error, %OAuth2.Error{reason: reason}} ->
          set_errors!(conn, [error("OAuth2", reason)])
      end
  end
end

@ream88
Copy link
Contributor

ream88 commented Apr 20, 2020

I think once my mix format branch is merged, I can help with this issue here 😊

@emilsoman
Copy link
Author

Unfortunately I am not able to work on this PR at the moment. @ream88 thanks for pitching in, please feel free to take my code if needed.

@Hanspagh
Copy link
Contributor

Format pr has now been merged. Let me know if you need nay help

@jsmestad
Copy link

jsmestad commented Nov 1, 2020

Looking deeper into the new Slack OAuth V2 endpoint, it actually is quite a bit different than their old one. They introduced "bot tokens" versus "user tokens" both coming back from a single oauth call.

I still have to figure out how best to handle two distinct tokens coming back from one OAuth workflow. I created a detached fork called ueberauth_slack_v2 so I can specifically handle this unique two token flow.

It is still a work in progress to figure out the ins-and-outs of handling two tokens, but you should be able to copy some of the changes to make this library drop the bot token and only use the user token.

@messutied
Copy link

What is the current state of this efforts? let me know if I can be of help on the PR/fork.

@chasers
Copy link

chasers commented Nov 30, 2020

@jsmestad thanks for this ... using your fork for now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants