I am unable to grant user scopes to my bot. I've successfully set up an OAuth flow and got bot scopes, but when I try to add user scopes my oauth flow will error out with a generic error "There was something wrong with your request".
It seems like I cannot combine slack bot scopes with user scopes in the same app? This is using the latest API which prioritizes granular bot scopes over workspace wide scopes.
How can I combine user scopes with bot scopes?
Related
I am building an app which authenticates via microsoft and needs various that predominantly uses Delegated permissions. I use the v2 auth endpoints to do incremental authentication, only asking for additional scopes when the user needs them.
This has worked well for the many delegated permissions I have so far. In many cases I need admin approval for these permissions, but I have a flow for that which works well.
One of the scopes I have used as a delegated permission is "User.Read.All", I now need the same scope on the application permission level. But I am struggling to work out if there is a way to do incremental authentication for application permissions. The docs say to use the generic endpoint where you don't specify scopes, but this then asks for all the scopes I have on my application registration rather than just passing in the scopes as a param.
It has nothing do with the endpoint and the scopes you specified. Since you use Delegated permissions in your original job, so I consider you use auth code flow or username/passord flow. If we use auth code flow or username/password flow, we can't get application permission when we do authentication although you have assign the application permissions to your registered app. If you want to get application permission when do authentication, you need to use client credential flow instead.
It is not possible to do this unfortunately the consent flow allows either a dynamic set of delegated scopes to be submitted or /.default which acts like the v1 endpoints and requests all scopes for that client. See these docs
I use: https://www.npmjs.com/package/#slack/interactive-messages and https://www.npmjs.com/package/#slack/events-api for my Slack/Node.js bot. I catch any interaction to the bot using:
slackEvents.on(‘message’, (message: any, body: any) => …);
Before Slack users can chat with the bot they must integrate it into their workspace using: https://api.slack.com/docs/sign-in-with-slack which is available in my website for logged on users. On successful response I get two different access tokens:
xoxb based auth tokens from bot_access_token (if im correct this is workspace based access token)
xoxp based auth tokens from access_token (if im correct this is user based access token)
I store above tokens in the users record in my database. I use the xoxb token to execute methods from my bot engine which also has access to the database, methods such as: https://api.slack.com/methods/chat.postMessage
However, once the bot is integrated the bot is exposed to many users. Users that did not do the 'Sign in with slack'-process and does not have any xoxp or xoxb tokens in their user record in the database. What xoxb token can I use to chat.postMessage to them?
I see there is an OAuth Access Token (xoxp) and Bot User OAuth Access Token (xoxb) in the Slack API Bot Dashboard under ‘OAuth & Permission’ link. Is this a master xoxb token that can be used to chat.postMessage to all users in Slack in any workspace that integrated my app?
Tokens are always bound to one workspace and one user. There is no "master" token that would work for multiple workspaces.
However, an app usually only needs one token per workspace, which it receives during the on-time installation process (as you described). You obviously want to store that token (bot user token and access token if you have a bot user) in your app database.
Provided your app has the necessary scopes it can use that token for all API calls involving that workspace. e.g. you can send messages to any user with the same token. For this to work with different workspaces all you need to do is match the team ID from the incoming request to the right token for your response.
To send a direct message to any user just use the ID of the user as channel with chat.postMessage. You get that ID in the message event.
Since you have a bot user I would recommend you to use the bot token whenever possible and the access token only in cases where the bot token does not work (not all API methods work with bot token).
A detailed description of the differences between those tokens can be found here.
See also How to get a workspace agnostic Slack bot token?
I would like a JWT access_token to contain a list of security group. From reading the documentation I attempted setting "groupMembershipClaims": "All", in the manifest of my application regostraton.
The setup is that I have a azure ad domain with 2 users. Then I have 2 groups: [user, admin] Each user has one of the groups assigned to it. Each group is of type security.
I am attempting to perform the OAuth Code flow manually, by going to the url formated similar to this:
https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<application-id>&response_type=code&redirect_uri=http://localhost:8080&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345
Then I login using the user account I setup in azure ad. Then I use postman to submit a post request to https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token with parameters:
client_id = <client-id>
code = code from previous login,
redirect_uri = http://localhost:8080
grant_type = authorization_code
scope = user.read mail.read
I get a valid response back, with an access_token. However when I decode it there is no group claim listed at all.
How can I get the groups listed in the token?
According to my research, Azure AD v2 endpoint of Azure Active Directory does not yet support groups claims in its token. For more details, please refer to the document. If you want to get all groups one user belongs to, you'll need query the groups from Microsoft Graph API. You can find the API documentation here:https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0.
If you use the app to access own API, in order to get group claim in the access_token, you need to configure the groupMembershipClaims value as you want in the API manifest, then you could get the group claim information in the access_token.
But if the access resource is MS graph API or Azure AD graph API, you could not configure for them, you could only use the openid connect to get the id_token, and then you could see the group claim in the id_token. In your flow, you could add openid in the scope, then you could find the group information in the id_token.
I tried oauth2 code flow in the postman:
And it returns the access_token and id_token. To parse the id_token, I get the group information:
When requesting scopes for both channels:read and identity.basic I get the following error:
Invalid permissions requested
Cannot request both identity scopes and other scopes at the same time
What's the solution for this? I'm interested in identifying if a user is an administrator and listing his channels. I'm requesting the identity.basic scope above as it's a prerequisite for the users:read scope. Do I really need to get the user to click "Authorize" twice for such a thing?
No. You do not to authorize twice. If you need additional scopes - because you want to access the API methods - you need to use the Add to Slack OAuth flow instead. That one will give you access to all scopes.
The Sign-in-with Slack OAuth flow is meant for quick user authentications only and does therefore not include any scopes that would require the user to confirm them (like users.read). So you can only user identity.* scopes for this flow as clearly stated in the documentation under Valid parameters / scope.
After completing the DocuSign's OAuth flow with my Docusign App I would like to add a webhook to the user's account using the Connect APIs.
What I managed to achieve so far is complete the OAuth flow, get the token and create a webhook on my OAuth app but instead I want to create it on the user's one.
I think it should be possibile since it's exactly what the DocuSign API explorer is doing: it first makes me follow the OAuth and then allows me to create a webhook on my account.
Am I missing something?
Your OAuth identity on DocuSign can be associated with one or more accounts. You create an account-wide webhook by specifying the account_id in the ConnectConfigurations: create call to end point POST /v2/accounts/{accountId}/connect
So some choices:
If your login has access to your user's account then you're all set.
When your user logs in to DocuSign you could create the webhook using his credentials.
You can also use Service Application authentication, but in all cases, the login used by your app needs permission for the user's account to add a webhook on that account.
Note: by "user" I am assuming that you mean someone who is sending out envelopes. We call that person the "sender." People who receive or sign envelopes typically don't have accounts. They're "recipients."
If you want to know when someone signed, you should add a webhook on either the sender's account or on the envelope itself when it was sent.