I have added the 'Add to Slack' button to my web project and it works fine like exchanging the code for an access token and redirecting to a URL of my choice. Now, I am a little bit confused between the 'Sign in with Slack' button. I know that it is used to log individual members in. So does it ask for their organization email and password and log them in or is it for logging in existing slack users? Also, as soon as I click on the sign in with slack button it takes me to a page where it asks me to authorise and leads me to the redirect uri I set for the Add to Slack button.
I see that they both have the same auth flow as mentioned on the slack API documentation except the scope for 'Sign in with Slack' is users.identity.
I am sorry if my question doesn't make much sense as I am pretty new to Slack. Would really appreciate if someone could help me clear some of these doubts about the two buttons
The gist of it is as follows:
Add to Slack
This button is for adding a new Slack app to a Slack team / workspace. You would only run this once for your app and team.
Sign-in with Slack
Is for authenticating existing Slack users to your non-Slack application, e.g. a website. A user will use it every time to sign-in to your website and your website can use it to verify that the user is who he says he is. It works similar to other SSO services, like Google or Facebook sign on, where e.g. .you can use your existing Google account to sign in to a new website.
Related
I have an application that authenticates users via Google Oauth. When I click Signup button, a signup screen would pop up as shown in the figure below.
The problem is that I want users to signup emails with domain name of my organization. Specifically, the username suffix should be #my_organization.com instead of #gmail.com as displayed in the figure. I have tried to modify the Oauth Consent Screen but there seems to be no option to configure this.
as you mentioned the "Sign in with Google" is for login purposes through OAuth protocol when the accounts already exists in an organization, I am afraid this is not intended to delegate user creation since this is a task only domain administrators are allowed within an organization.
The most you can achieve from OAuth is to force the sign in with an specific domain; you can do this by modifying the "hd" parameter in the authentication request you are sending using the Google's OAuth 2.0 API. Here you can check on this topic: click here
As mentioned above, if you are looking to create user accounts with a specific domain you need to be an administrator in a Google Workspace account.
I hope this information helps!
You can only use oAuth with registered Google accounts.
With Google Workspace you can use a domain in your Gmail, see.
But if that's not possible and you want a quick way to authenticate, maybe Auth0 or similar tools can help.
I've got a simple Dialogflowbot that I'm trying to integrate with my Slack workspace.
I've made a Slack app for the bot.
I've added all the information in Dialogflow integration dialog.
On Slack app side I've set-up bot user, added event subscriptions (including link from DF) and set up OAuth scopes and added the URL.
However, the bot won't reply back. Everything looks fine in DF logs but I'm not getting responses in Slack. Previously I've been able to solve this kind of situation by clicking the 'Install to Slack' button under 'Manage distribution' -tab. However, now when I do that (and allow installation), I receive the following error message:
While starting bot the error appears:
Bot start error: oauth_authorization_url_mismatch
From Slack documentation I've found out that this means "The OAuth flow was initiated on an incorrect version of the authorization url. The flow must be initiated via /oauth/authorize." However, the OAuth URL Dialogflow provides is of form bots.dialogflow.com/slack/<TOKEN>/start.
I've
contacted both Slack and Dialogflow support
done bunch of Googling and
asked a few people that also work on Slack bots
but I've found nothing. Maybe someone here would have ran to the same issue would know what to do?
Recently the Slack team made a change in the oauth authentication with backward incompatible changes. This change break the integration with Dialogflow.
Fortunately, the old functionality has not been fully removed from Slack. In the link I shared above (here's again), at the bottom of the documentation there's an option to "Create a classic Slack app". If you click on it, you will be able to create a "legacy" bot and use follow the Dialogflow-Slack integration guide; it will work as intended.
An important thing to notice, is that you'll see an option to "Update Scopes". Be careful not to make this update, as this will change the authentication from classic to the new approach, and it will break the bot.
Finally, the Dialogflow team already knows about this issue and they're working to make the integration compatible with the new Slack authentication. You can subscribe to that IssueTracker (click the star next to the title) and get updates regarding its progress.
I’m working on a Slack app that a user can install to a workspace using Slack’s Oauth flow. After installing and configuring the app, I’m using Oauth to allow the user to log in and make changes to the app configuration.
The flow for a new user uses the "Add to Slack" button which asks the user to agree to allow bot and identity.* scopes after which my app retrieves and stores bot and user tokens.
Now I'd like to allow the same user to sign in using the "Sign in with Slack" Oauth flow. Per the Slack documentation, the "Sign in with Slack" flow allows just this using the same /oauth/authorize endpoint, but requests only one of the identity.* scopes (I'm using identity.basic):
Sign in with Slack
The user has already authorized my app for bot and identity.* scopes on the initial app install, but surprisingly he/she is re-prompted to confirm allowing my app identity.* scopes on each "Log in with Slack" action.
The slack documentation implies that subsequent login attempts will result in an automatic redirect:
After a user clicks your Sign in with Slack button, their web browser should arrive on Slack's servers.
Your application will wait patiently while the user handles some business or Slack just sends them on their way back to your redirect URL.
(emphasis mine)
However, Slack always requests that the user (re-)authorize my app for identity.* scopes. How can I log users in using Slack with a one-click flow?
Update: Response from Slack
I reached out to the Slack team and got this response:
Unfortunately it looks like we'll need to update the documentation as for the moment what's described there is not accurate. Particularly:
Returning users won’t be distracted by unnecessary approvals, we’ll send them back to your site, service, or app as fast as we can!
Due to a change we made to our authentication flow where we now allow users to select what workspace they're authing with, we present them with the "scopes" or "permissions" page again.
This is definitely something we should consider make better but for the time being it's the expected behaviour and we're going to revise the documentation to eflect that.
Sorry for the bad news.
As of 11/17/19 the Sign in with Slack documentation has not been updated.
For your requirement to implement a web page that is linked to your Slack app with authenticated Slack user you have two alternatives:
Sign-in with Slack
One approach would be to use Sign-in with Slack to authenticate users for your web page. This allows you to clearly authenticate users. However, the drawback is that users would have to repeat the login process every time they open this web page again. This can be somewhat mitigated by using cookies to keep users logged in between browser restarts until they manually log out of the web app.
Note that this auth process is independent from the user logging into his Slack workspace.
Own authentication
Alternatively you can let users directly open your web app from Slack, e.g. by clicking a link button you provide. This URL needs to include information that would allow your web app to get the users current context, e.g. his Slack and User ID.
Note that this URL can be obtainable and potentially misused by a user, so you would need to add measure to protect it e.g. by encrypting the IDs or by adding a secure hash or a one time token ...
after using oauth2 flow for slack ("Sign in with Slack") and making appropriate API calls, we need to make sure users are properly signed out of Slack as well, else, on a shared computer, subsequent users would gain access to their info.
we're using oauth2 with slack and all is well but we don't know how to explicitly log users out of slack. We spied a generic url (https://slack.com/signout/{first-part-of-oauth2-client-id-here}) which does take the user to their main page, with a dialog and a button. But in our case we've already asked the user if they want us to log them out of slack so that dialog is jarring (and redundant).
We can't find an api to allow for this use case.
This is NOT asking for access_token revocation (which we do as well), this is simply signing the user out of that particular computer (after they asked to sign out of our app)
I'm working on a Slack app that also links with a web app, which users can log into using Slack. It's very common for a new user to need to both log into the web app and add the app to Slack.
I'd like to let them do this with a single trip through OAuth. Since the web app needs a name, email address, and profile picture for each user, I added the "identity.basic", "identity.email", etc. scopes to the ones requested by the "Add to Slack" button. But it turns out that Slack doesn't allow this. The Slack OAuth page says "Invalid permissions requested: Cannot request both identity scopes and other scopes at the same time".
One alternative might be to request the users:read and users:read.email scopes instead of the identity scopes. But this gives our app more access than it needs; it just needs the info for the current user, not for all users on the team. (It might later need that info for all users, so I'm considering doing this anyway, but I'm not sure if users would like it.)
The other alternative seems to be to make the user go through two different OAuth permissions screens. But this seems cumbersome and not a good user experience.
So the questions are (1) is there a better way, and (2) why doesn't Slack allow combining the identity scopes with others?
UPDATE to clarify, in response to the answer from #erik-kalkoken:
I'm aware of the differences between "Add to Slack" and "Sign In with Slack". I certainly don't intend to take away the option for most users to do a simple "Sign In with Slack". However, with this particular app, it makes no sense to do "Add to Slack" without also being signed in to the web app. This needs to be done by one person per Slack team before other users on that team can use it. Our onboarding process for new teams is a bit cumbersome, and I'm looking for ways to make it simpler and smoother. Since the sign-in and add steps could theoretically be combined into one step, I would prefer to do that.
Part of this may be because we aren't developing a "Slack app"; we're developing a Slack integration for a web app. The web app can be used without using Slack, and has its own concepts of users and communities.
The "better way" in my opinion would be to not combine these two functions on your website, because their effect is very different. I would argue that it would be confusing to users if they are combined and would not make a good user experience.
"Add to Slack" is installing a Slack app for the whole Slack team. You only do this once and its usually done by the admin of a Slack team.
"Sign in with Slack" is used to authenticate any user of a Slack team. You would use this function every time you log into your app and its used by many users of a Slack team.