I have an web application with existing users and user ids (i.e. not Slack user ids). I'd like to allow my users to install my new Slack app.
How do I know which of my users connects to Slack using OAuth and installs my app? I know you can request email but what if the Slack email is different from the email address used to originally sign up to my application.
It's crucial that I know which Slack users are linked to my existing users. Is there a way to send my existing users' user_id through the OAuth process so I know how to link a Slack user to one of my users?
Potential Solutions?
User's cookie will allow me to identify them upon the Slack OAuth
redirect.
Use the state variable as a way to identify a user on my
site
I would not use the state property to transfer user information. It's theoretical possible, but would defy the purpose of the state property as security measure.
Instead you just need to keep the user context on your website during the Oauth process (e.g. by storing the user ID in a server session), so you can store the connection between your custom user ID and the Slack user ID later.
Here is the full process:
You users will first need to log-in to your website to identify
themselves.
Your website will then have the user ID of the user and need to keep
this context, e.g. in a server session.
Next your user has the option to install your Slack app. After the
installation is finished the Oauth process will automatically
redirect your user back to your website.
You can then get the current user ID by calling auth.test
with the access token you just received.
Finally have both the custom user ID and the Slack user ID an can store
this connection, e.g. in your database for future reference.
Alternatively you can add this information to the Slack user as
custom property with users.profile.set
Related
I'm working on an app that is used by about 50 project managers to make quotations. When a quotation is ready, it is to be emailed to the intended customer from one of two accounts, lets call these Left and Right, depending on the postal code of the customer. We would like to use Microsoft Graph API to facilitate sending these emails. I'm confused as to whether I should get access to Graph 'on behalf of a user' or 'without a user'. The quotation is not sent from the account of the project manager that is logged into the app. It is sent from either the Left or the Right account. Thanks for any guidance!
On behalf of a user:
https://learn.microsoft.com/en-us/graph/auth-v2-user
Without a user:
https://learn.microsoft.com/en-us/graph/auth-v2-service
I think the choice depends on the way you set up your application.
The 'without a user' flow refers to a process in which there is no user that signs in. That means you need to obtain a token in that process to send an e-mail using the Graph API. If your admin has given consent to your application's permissions for sending e-mails, it is possible to send an e-mail as a given user. Rather than the user consenting on behalf of their inbox like the 'On behalf' flow, the admin can consent on behalf of all user's inboxes in a given tenant. You will need an auth token on behalf of your application and the id of the given user. Though this would personally not have my preference as technically e-mail can be sent from any e-mail address within the tenant.
You could use the 'On behalf' flow if the project managers do have access to the left or right account (like a shared inbox) and if the e-mail sending is invoked from the application itself. If it is not sent from that context, you would need to use the first option.
I have a Slack App (source code) where I want to send reminders to channels where a certain piece of text has been mentioned the most on a schedule. It works, but there's a limitation:
The search.messsages API method only supports user tokens. I want this to run in the background, without interaction. Approaches that have come to mind:
Store my personal user token
Con: Would allow others with access to the token to be able to see my private messages
Create a fake user whose only purpose is that user token
Con: Have to pay for that fake user indefinitely, manage shared credentials, etc.
Any other ideas?
Here is what you can do:
Switch on distribution of the Slack app.
Have the admin, or an existing user on the Slack channel install the app. During the time of installation, you can ask for permissions with user token and search:read scope.
Now you can make all the searches using this user's token. You'll need to plan for the scenario where this user is deleted from the Slack workspace, your user token will stop working.
I don't think there is a way to control it from searching for your personal messages. Search functionality is dependent on the user token.
I’m working on a Slack app that a user can install to a workspace using Slack’s Oauth flow. After installing and configuring the app, I’m using Oauth to allow the user to log in and make changes to the app configuration.
The flow for a new user uses the "Add to Slack" button which asks the user to agree to allow bot and identity.* scopes after which my app retrieves and stores bot and user tokens.
Now I'd like to allow the same user to sign in using the "Sign in with Slack" Oauth flow. Per the Slack documentation, the "Sign in with Slack" flow allows just this using the same /oauth/authorize endpoint, but requests only one of the identity.* scopes (I'm using identity.basic):
Sign in with Slack
The user has already authorized my app for bot and identity.* scopes on the initial app install, but surprisingly he/she is re-prompted to confirm allowing my app identity.* scopes on each "Log in with Slack" action.
The slack documentation implies that subsequent login attempts will result in an automatic redirect:
After a user clicks your Sign in with Slack button, their web browser should arrive on Slack's servers.
Your application will wait patiently while the user handles some business or Slack just sends them on their way back to your redirect URL.
(emphasis mine)
However, Slack always requests that the user (re-)authorize my app for identity.* scopes. How can I log users in using Slack with a one-click flow?
Update: Response from Slack
I reached out to the Slack team and got this response:
Unfortunately it looks like we'll need to update the documentation as for the moment what's described there is not accurate. Particularly:
Returning users won’t be distracted by unnecessary approvals, we’ll send them back to your site, service, or app as fast as we can!
Due to a change we made to our authentication flow where we now allow users to select what workspace they're authing with, we present them with the "scopes" or "permissions" page again.
This is definitely something we should consider make better but for the time being it's the expected behaviour and we're going to revise the documentation to eflect that.
Sorry for the bad news.
As of 11/17/19 the Sign in with Slack documentation has not been updated.
For your requirement to implement a web page that is linked to your Slack app with authenticated Slack user you have two alternatives:
Sign-in with Slack
One approach would be to use Sign-in with Slack to authenticate users for your web page. This allows you to clearly authenticate users. However, the drawback is that users would have to repeat the login process every time they open this web page again. This can be somewhat mitigated by using cookies to keep users logged in between browser restarts until they manually log out of the web app.
Note that this auth process is independent from the user logging into his Slack workspace.
Own authentication
Alternatively you can let users directly open your web app from Slack, e.g. by clicking a link button you provide. This URL needs to include information that would allow your web app to get the users current context, e.g. his Slack and User ID.
Note that this URL can be obtainable and potentially misused by a user, so you would need to add measure to protect it e.g. by encrypting the IDs or by adding a secure hash or a one time token ...
If I have a user's Twitter ID or handle, can I get the e-mail address of this ID?
Your question is very confusing but here is the rule for receiving users' email.
Your application must have been approved by Twitter. More details can be found at https://dev.twitter.com/rest/reference/get/account/verify_credentials > Request a User’s Email Address. When using the form you will have to pick I need access to special permissions and inform that you want your application to have access to the user's email.
When you are approved you need to refresh all your application keys.
When this is done you need all your users to re-authorize your app with the new keys.
Finally when you call the account/verify_credentials endpoint you will receive the user's email.
Me and my colleagues developing an application (both web application and mobile app(iPhone & android)), which includes a login process.
Currently, we have our own login mechanism (where users have signed for an account on our app, and have stored their info in our Database). We are looking into integrating oAuth and allowing users to login with Facebook, Twitter, LinkedIn and Google.
Now, when the users logs with any of those, as I understand the login process occurs outside our application and basically only get permission to access their resources.
My question is this: through oAuth, how do we remember users? i.e., users who login have read /write privileges and have preferences. How do we remember those when they don't actually sign up through our app.. Can we store their email address in our "Users" table??
What are the best practices in such a scenario?
Thanks for any info you can provide.
Having built authentication databases for a few different OAuth-enabled web sites, I can say that I've learned a few things that you should keep in mind.
You should have a table of users for your site that is completely independent of which OAuth provider they used for sign-up/sign-in. This enables your site users to combine multiple accounts together under their primary identity on your site. (For example, associate both Facebook and Twitter with you.)
When you let a user sign up, you should get an email address from them. Whether you ask Facebook for it, or if you have to ask directly. This enables you to "upgrade" users later from depending purely on third party OAuth to setting their own password on your site. (You simply send them a link to your password reset page in order to get them started creating their first password.)
You don't want to use email address as your primary key. I'm not sure if that's what you're actually describing or not, but you really want them to have a local user ID that you use for maintaining their session, etc. You then associate their Facebook ID or their Twitter ID with that local ID, and use the correspondence between such identifiers to match up which of your site's users to consider logged in.