Slack SDK for Java
日本語 (Japanese) Go to GitHub

Sign in with Slack (OpenID Connect)

Sign in with Slack helps users log into your service using their Slack profile. The platform feature was recently upgraded to be compatible with the standard OpenID Connect specification. With Bolt for Java v1.10 or higher, implementing the auth flow is much easier.

Slack App Configuration

When you create a new Slack app, set the following user scopes:

oauth_config:
  redirect_urls:
    - https://example.com/replace-this-with-your-own-redirect-uri
  scopes:
    user:
      - openid   # required
      - email    # optional
      - profile  # optional

Slack Config for Your OpenID Connect App

Here is the list of the necessary configurations for serving your OpenID Connect app built with Bolt. If you prefer using other env variable names or other solutions to load this information, implement your own way to load AppConfig instead.

Env Variable Name Description (Where to find the value)
SLACK_CLIENT_ID Client ID (Find at Settings > Basic Information > App Credentials)
SLACK_CLIENT_SECRET Client Secret (Find at Settings > Basic Information > App Credentials)
SLACK_REDIRECT_URI Redirect URI (Configure at Features > OAuth & Permissions > Redirect URLs)
SLACK_USER_SCOPES Command-separated list of user scopes: scope parameter that will be appended to https://slack.com/openid/connect/authorize as a query parameter. The possible values are openid, email, and profile
SLACK_INSTALL_PATH Starting point of OpenID Connect flow: This endpoint redirects users to the Slack OpenID Connect endpoint with required query parameters such as client_id, scope, state, and nonce (optional).
SLACK_REDIRECT_URI_PATH Path for OpenID Connect Redirect URI: This endpoint handles callback requests after the Slack’s OpenID Connect confirmation. The path must be consistent with SLACK_REDIRECT_URI value.

Examples

Check the Servlet app example to learn how to implement your Web app that handles the OpenID Connect flow with end-users.

import java.util.*;

// implementation 'com.slack.api:bolt-jetty:{the latest version}'
import com.slack.api.Slack;
import com.slack.api.bolt.App;
import com.slack.api.bolt.jetty.SlackAppServer;

// If you want to decode the JWT id_token, you can use the following external library for it:
// implementation 'com.auth0:java-jwt:{the latest version}'
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;

// The following env variables are supposed to be set:
// SLACK_CLIENT_ID, SLACK_CLIENT_SECRET, SLACK_REDIRECT_URI, SLACK_USER_SCOPES
App app = new App().asOpenIDConnectApp(true);

// You can handle the OpenID Connect code authorization flow with this callback function
app.openIDConnectSuccess((req, resp, token) -> {
  var logger = req.getContext().getLogger();
  
  // TODO: Store the given "token" response (openid.connect.token API response)

  // Decode id_token in an openid.connect.token response
  DecodedJWT decoded = JWT.decode(token.getIdToken());
  Map<String, Claim> claims = decoded.getClaims();
  logger.info("claims: {}", claims);

  var teamId = claims.get("https://slack.com/team_id").asString();

  // Code example demonstrating how to call openid.connect.userInfo using the given access token
  var client = Slack.getInstance().methods();
  try {
    var userInfo = client.openIDConnectUserInfo(r -> r.token(token.getAccessToken()));
    logger.info("userInfo: {}", userInfo);

  } catch (Exception e) {
    throw new RuntimeException(e);
  }

  // Render a web page for the user (or you can redirect the user to the next step such as OAuth with other services)
  var html = app.config().getOAuthRedirectUriPageRenderer().renderSuccessPage(
    null, req.getContext().getOauthCompletionUrl());
  resp.setBody(html);
  resp.setContentType("text/html; charset=utf-8");
  return resp;
});

Map<String, App> apps = new HashMap<>();
apps.put("/slack/", app);
SlackAppServer server = new SlackAppServer(apps);
server.start();

If you enable the token rotation along with the OpenID Connect, the code can be like this:

// You can handle the OpenID Connect code authorization flow with this callback function
app.openIDConnectSuccess((req, resp, token) -> {
  var logger = req.getContext().getLogger();

  // TODO: Store the given "token" response (openid.connect.token API response)

  // Decode id_token in an openid.connect.token response
  DecodedJWT decoded = JWT.decode(token.getIdToken());
  Map<String, Claim> claims = decoded.getClaims();
  logger.info("claims: {}", claims);

  var teamId = claims.get("https://slack.com/team_id").asString();

  // Code example demonstrating how to call openid.connect.userInfo using the given access token
  var client = Slack.getInstance().methods();
  try {
    if (token.getRefreshToken() != null) {
      // run the first token rotation
      var refreshedToken = client.openIDConnectToken(r -> r
          .clientId(config.getClientId())
          .clientSecret(config.getClientSecret())
          .grantType("refresh_token")
          .refreshToken(token.getRefreshToken())
      );

      var teamIdWiredClient = Slack.getInstance().methods(refreshedToken.getAccessToken(), teamId);
      var userInfo = teamIdWiredClient.openIDConnectUserInfo(r -> r.token(refreshedToken.getAccessToken()));
      logger.info("userInfo: {}", userInfo);

    } else {
      throw new RuntimeException("Unexpectedly refresh token is absent");
    }

  } catch (Exception e) {
    throw new RuntimeException(e);
  }

  // Render a web page for the user (or you can redirect the user to the next step such as OAuth with other services)
  var html = app.config().getOAuthRedirectUriPageRenderer().renderSuccessPage(
    null, req.getContext().getOauthCompletionUrl());
  resp.setBody(html);
  resp.setContentType("text/html; charset=utf-8");
  return resp;
});