I have a Slack bot application that needs to authenticate messages received. Instead of receiving a token from Slack, my application will provide a token to Slack. Slack would then send the token to my application during each request. My application can then authenticate who the message came from.
Is there a way on Slack's platform to be an Oauth provider to Slack or some way to authenticate messages?
Thank you
Ah I see! So, again, this is not precisely what you are looking for, but it comes pretty close:
What you can do is use your own OAuth system external to Slack and then tie the users in that system to the user_ids from your Slack team.
On request from a particular user, your bot could DM this user a unique URL that is tied to your own (slack-external) OAuth system. Once the process is complete you can associate your way of identifying users with that of Slack (ie. team_id and user_id)
As a result any message that your bot receives, which would include the user_id of the user that sent it, can now be checked against your own User model to see if this particular user has the required permissions or anything of that nature.
This way you can essentially use any OAuth system in conjunction with Slack's methods of identifying users. It's a bit hacky, but it works.
I built something like this a few months ago. Here we are using the Mondo API's OAuth on top of Slack's own OAuth: Mondobot
The file with the relevant code is this one.
Related
Trying to send out chat message from Bot with sender as a current logged in user. I am able to implement this with graph api using On Behalf of flow. However the API is still in Beta and don't think we can use it in production setting.
https://learn.microsoft.com/en-us/graph/api/chat-post-message?view=graph-rest-beta&tabs=http
Is there a different way? Can we use ConnectorClient? Tried this, but the chat message is sent by the bot instead of the current logged in user. I am not able to create user token with botframework.com. It is always bot or the registered app.
Do anyone know if there is a way to accomplish this avoiding the graph beta api?
I need to send emails from my server, through simple REST calls, from my backend-server email address, to the email addresses registered in the system.
But there is a problem, bear with me.
The thing is a lot of the documentation I've seen so far seems to assume I want to access the clients gmail data, which I don't, I only use the client's address as a destinatary.
A lot of the examples I've seen, involve a visual promt to authorize the access to the api.
BUT WHY?
They assume I'm gonna be making apicalls from a mobile device, acting on behalf of the client, which needs a visual prompt for consent. But none of that applies to my use case.
The thing is, there is ever only gonna be one sender, "ME" (the company email designated for the backend server).
I should be able to create a secret api_key on the google console, and send that in my request headers (like freaking FIREBASE does), or use that key to generate a token which I then send to the api endpoint (like Paypal does).
I want to be able to do something like:
POST https://gmail.googleapis.com/upload/gmail/v1/users/{userId}/messages/send
Authorization: key=<key_created_on_google_console_or_token_obtained_using_said_key>
{
message stuff...
}
The api reference on google says that I need to create an authorization using OAuth credentials, which I'm then supposed to use to create a short lived token that is inserted as
"Authorization: Bearer <TOKEN>"
in my next apicalls, until it expires. But...
In the console, creating a new OAuth2.0 client ID, says I need to create an app. But I already have a proyect and an api_key (with permissions to gmail api). And that said app is gonna have to be sent for review!. What's going on?.
So..
How do I send emails, from my own-controlled email address, using REST calls.
It's all server side, no need to access any user data (not even my own), I already control the sender address, I already have created a project on google console, I already created an api_key.
OAuth seems to think I'm doing something I'm not, so what am I missing?.
Thanks.
The Bearer token is an OAuth2 access token that you get after authorizing your app to access your Gmail account. It's designed for 3rd party authorizations really (like your users allowing your app to access their Gmail) that is why it seems complex when you're accessing your own account.
Check this out https://developers.google.com/identity/protocols/oauth2
Turns out I was trying to use the wrong tool for the problem.
After looking for alternatives I found out about MailGun and SendGrid.
Tried SendGrid and it fit like a glove. Love it.
I was using Gmail+PHPMailer for this problem and thought the new api was meant to replace that, but turns out it's not.
Alexey pointed out the intended use in his answer. Actually I might end up integrating the new Gmail api more in line with it's intended use on my clients mobile devices.
It was all my missunderstanding.
Thank you for your time.
I made a new Slack App, got both my user token and bot token, and now my app can post messages as me. But what if I want this app to post messages as someone else from my team? How to get their token? Or where they can find it?
Tokens in slack can only be retrieved from the your slack apps OAuth page. This cannot be done via the API. If you want to send the messages as another user what you need to do is:
Create the a slack app using the users account.
Assign the relevant permissions to the app.
Install the app to your work space.
Fetch the generated tokens from the OAUTH and permissions section.
I’m working on a Slack app that a user can install to a workspace using Slack’s Oauth flow. After installing and configuring the app, I’m using Oauth to allow the user to log in and make changes to the app configuration.
The flow for a new user uses the "Add to Slack" button which asks the user to agree to allow bot and identity.* scopes after which my app retrieves and stores bot and user tokens.
Now I'd like to allow the same user to sign in using the "Sign in with Slack" Oauth flow. Per the Slack documentation, the "Sign in with Slack" flow allows just this using the same /oauth/authorize endpoint, but requests only one of the identity.* scopes (I'm using identity.basic):
Sign in with Slack
The user has already authorized my app for bot and identity.* scopes on the initial app install, but surprisingly he/she is re-prompted to confirm allowing my app identity.* scopes on each "Log in with Slack" action.
The slack documentation implies that subsequent login attempts will result in an automatic redirect:
After a user clicks your Sign in with Slack button, their web browser should arrive on Slack's servers.
Your application will wait patiently while the user handles some business or Slack just sends them on their way back to your redirect URL.
(emphasis mine)
However, Slack always requests that the user (re-)authorize my app for identity.* scopes. How can I log users in using Slack with a one-click flow?
Update: Response from Slack
I reached out to the Slack team and got this response:
Unfortunately it looks like we'll need to update the documentation as for the moment what's described there is not accurate. Particularly:
Returning users won’t be distracted by unnecessary approvals, we’ll send them back to your site, service, or app as fast as we can!
Due to a change we made to our authentication flow where we now allow users to select what workspace they're authing with, we present them with the "scopes" or "permissions" page again.
This is definitely something we should consider make better but for the time being it's the expected behaviour and we're going to revise the documentation to eflect that.
Sorry for the bad news.
As of 11/17/19 the Sign in with Slack documentation has not been updated.
For your requirement to implement a web page that is linked to your Slack app with authenticated Slack user you have two alternatives:
Sign-in with Slack
One approach would be to use Sign-in with Slack to authenticate users for your web page. This allows you to clearly authenticate users. However, the drawback is that users would have to repeat the login process every time they open this web page again. This can be somewhat mitigated by using cookies to keep users logged in between browser restarts until they manually log out of the web app.
Note that this auth process is independent from the user logging into his Slack workspace.
Own authentication
Alternatively you can let users directly open your web app from Slack, e.g. by clicking a link button you provide. This URL needs to include information that would allow your web app to get the users current context, e.g. his Slack and User ID.
Note that this URL can be obtainable and potentially misused by a user, so you would need to add measure to protect it e.g. by encrypting the IDs or by adding a secure hash or a one time token ...
I am trying to make a bot that will listen to all public & private channels, and IMs for a team, and will reply when it sees certain trigger words. This will be a "Slack App", installable to your team using the "Add to Slack" button, and includes a "Bot User".
I have asked for the "bot" OAuth scope, and subscribed to the "message.channels,message.groups and message.im" Team Events (at https://api.slack.com/apps/myAppId/event-subscriptions) but do not appear to receive event POSTs through the Events API when new messages are sent.
Adding the "channels:history,groups:history,im:history" scopes makes the bot receive these event POSTs, but I believe only for the user that added the bot, so it will not watch groups that the adding-user was not a member of, or IMs between 2 other users. This means that behaviour will be different, depending on which user installed my bot.
Is there a way of installing the app/bot for an entire team? The documentation seems to indicate that a 'bot' scope should have the ability to receive events, but I am not seeing this (I require the channels:history scope etc. above).
bot - request this scope when your Slack app includes bot user functionality. Unlike incoming-webhook and commands, the bot scope grants your bot user access to a subset of Web API methods, the RTM API, and certain event types in the Events API.
(from https://api.slack.com/docs/oauth-scopes)
The page on bots also claims that a bot can receive all messages through the RTM API:
This websocket will send you all of the messages and activity that happen in public and private channels that the bot user is invited to, as well as messages that are sent to it via direct message. A bot user opens this websocket with the RTM API by sending an authenticated call to the rtm.start API method. To learn more about connecting to the RTM API, read the documentation here.
(from https://api.slack.com/bot-users)
Is this same behaviour possible in the events API without needing to use the RTM API or add those additional scopes mentioned above?
I see from your comment that you have understood that the bot scope (and the channels.message Events subscription) allows your bot to receive from channels it is present in.
You have two options
1) you ask for channel.write scope in addition to bot, and you invite the bot in all channels (using the user token, not the bot token)
2) you work on your onboarding and figure out a way to get your "champion", ie the user who installed your app, to invite your bot in relevant channel.
Keep in mind that solution 1) is usually seen as very intrusive, especially in large teams where most people haven't heard of your app nor taken the decision to install it. But it can be suitable for some very specific use cases. Option 2) is the recommended route, but it is hard :-) Good luck!