Code on GitHub Slack Platform Home

OAuth

Slack OAuth

The @slack/oauth package makes it simple to setup the OAuth flow for Slack apps. It supports V2 OAuth for Slack Apps as well as V1 OAuth for Classic Slack apps. Slack apps that are installed in multiple workspaces, like in the App Directory or in an Enterprise Grid, will need to implement OAuth and store information about each of those installations (such as access tokens).

The package handles URL generation, state verification, and authorization code exchange for access tokens. It also provides an interface for easily plugging in your own database for saving and retrieving installation data.

Installation

$ npm install @slack/oauth

Before building an app, you’ll need to create a Slack app and install it to your development workspace. You’ll also need to copy the Client ID and Client Secret given to you by Slack under the Basic Information of your app configuration.

It may be helpful to read the tutorials on getting started and getting a public URL that can be used for development.


Initialize the installer

This package exposes an InstallProvider class, which sets up the required configuration and exposes methods such as generateInstallUrl, handleCallback, authorize for use within your apps. At a minimum, InstallProvider takes a clientId and clientSecret (both which can be obtained under the Basic Information of your app configuration). InstallProvider also requires a stateSecret, which is used to encode the generated state, and later used to decode that same state to verify it wasn’t tampered with during the OAuth flow. Note: This example is not ready for production because it only stores installations (tokens) in memory. Please go to the storing installations in a database section to learn how to plug in your own database.

const { InstallProvider } = require('@slack/oauth');;

// initialize the installProvider
const installer = new InstallProvider({
  clientId: process.env.SLACK_CLIENT_ID,
  clientSecret: process.env.SLACK_CLIENT_SECRET,
  stateSecret: 'my-state-secret'
});
Using a classic Slack app
  const { InstallProvider } = require('@slack/oauth');;

  // initialize the installProvider
  const installer = new InstallProvider({
    clientId: process.env.SLACK_CLIENT_ID,
    clientSecret: process.env.SLACK_CLIENT_SECRET,
    stateSecret: 'my-state-secret',
    authVersion: 'v1' //required for classic Slack apps
  });

Generating an installation URL

You’ll need an installation URL when you want to test your own installation, in order to submit your app to the App Directory, and if you need an additional authorizations (user tokens) from users inside a team when your app is already installed. These URLs are also commonly used on your own webpages as the link for an “Add to Slack” button. You may also need to generate an installation URL dynamically when an option’s value is only known at runtime, and in this case you would redirect the user to the installation URL.

The installProvider.generateInstallUrl() method will create an installation URL for you. It takes in an options argument which at a minimum contains a scopes property. installProvider.generateInstallUrl() options argument also supports metadata, teamId, redirectUri and userScopes properties.

installer.generateInstallUrl({
  // Add the scopes your app needs
  scopes: ['channels:read']
})
Adding custom metadata to the installation URL

You might want to present an “Add to Slack” button while the user is in the middle of some other tasks (e.g. linking their Slack account to your service). In these situations, you want to bring the user back to where they left off after the app installation is complete. Custom metadata can be used to capture partial (incomplete) information about the task (like which page they were on or inputs to form elements the user began to fill out) in progress. Then when the installation is complete, that custom metadata will be available for your app to recreate exactly where they left off. You must also use a custom success handler when handling the OAuth redirect to read the custom metadata after the installation is complete.

installer.generateInstallUrl({
  // Add the scopes your app needs
  scopes: ['channels:read'],
  metadata: JSON.stringify({some:'sessionState'})
})

Note: custom metadata is visible to the user, so don’t store any secret information in the metadata. The installation provider will ensure that none of the metadata has been tampered with when the user returns. To change how metadata is handled, including hiding it from users, read about using a custom state store.


Handling the OAuth redirect

After the user approves the request to install your app (and grants access to the required permissions), Slack will redirect the user to your specified redirect url. You can either set the redirect url in the app’s OAuth and Permissions page or pass a redirectUri when calling installProvider.generateInstallUrl. Your HTTP server should handle requests to the redirect URL by calling the installProvider.handleCallback() method. The first two arguments (req, res) to installProvider.handleCallback are required. By default, if the installation is successful the user will be redirected back to your App Home in Slack (or redirected back to the last open workspace in your slack app for classic Slack apps). If the installation is not successful the user will be shown an error page.

const { createServer } = require('http');

const server = createServer((req, res) =>  {
  // our redirect_uri is /slack/oauth_redirect
  if (req.url === '/slack/oauth_redirect') {
    // call installer.handleCallback to wrap up the install flow
    installer.handleCallback(req, res);
  }
})

server.listen(3000);
Using an Express app

You can easily use installer.handleCallback within an Express app by setting up a route for the OAuth redirect.

app.get('/slack/oauth_redirect', (req, res) => {
  installer.handleCallback(req, res);
});
Using a custom success handler and custom failure handler

If you decide you need custom success or failure behaviors (ex: wanting to show a page on your site with instructions on how to use the app), you can pass in your own success/failure functions.

const callbackOptions = {
  success: (installation, installOptions, req, res) => {
    // Do custom success logic here
    res.send('successful!');
  }, 
  failure: (error, installOptions , req, res) => {
    // Do custom failure logic here
    res.send('failure');
  }
}
app.get('/slack/oauth_redirect', (req, res) => {
  installer.handleCallback(req, res, callbackOptions);
});

Storing installations in a database

Although this package uses a default MemoryInstallationStore, it isn’t recommended for production use since the access tokens it stores would be lost when the process terminates or restarts. Instead, InstallProvider has an option for supplying your own installation store, which is used to save and retrieve install information (like tokens) to your own database.

An installation store is an object that provides two methods: storeInstallation and fetchInstallation. storeInstallation takes an installation as an argument, which is an object that contains all installation related data (like tokens, teamIds, enterpriseIds, etc). fetchInstallation takes in a installQuery, which is used to query the database. The installQuery can contain teamId, enterpriseId, userId, and conversationId.

In the following example, the installationStore option is used and the object is defined in line. The required methods are implemented by calling an example database library with simple get and set operations.

const installer = new InstallProvider({
  clientId: process.env.SLACK_CLIENT_ID,
  clientSecret: process.env.SLACK_CLIENT_SECRET,
  stateSecret: 'my-state-secret',
  installationStore: {
    // takes in an installation object as an argument
    // returns nothing
    storeInstallation: (installation) => {
      // replace myDB.set with your own database or OEM setter
      myDB.set(installation.team.id, installation);
      return;
    },
    // takes in an installQuery as an argument
    // installQuery = {teamId: 'string', enterpriseId: 'string', userId: string, conversationId: 'string'};
    // returns installation object from database
    fetchInstallation: (installQuery) => {
      // replace myDB.get with your own database or OEM getter
      return myDB.get(installQuery.teamId);
    },
  },
});

Reading tokens and other installation data

You can use the the installationProvider.authorize() function to fetch data that has been saved in your installation store.

// installer.authorize takes in an installQuery as an argument
// installQuery = {teamId: 'string', enterpriseId: 'string', userId: string, conversationId: 'string'};
const result = installer.authorize({teamId:'my-Team-ID'});
/*
result = {
  botToken: '',
  userToken: '',
  botId: '',
  botUserId: '',
}
*/
Reading extended installation data

The installer.authorize() method only returns a subset of the installation data returned by the installation store. To fetch the entire saved installation, use the installer.installationStore.fetchInstallation() method.

// installer.installationStore.fetchInstallation takes in an installQuery as an argument
// installQuery = {teamId: 'string', enterpriseId: 'string', userId: string, conversationId: 'string'};
// returns an installation object
const result = installer.installationStore.fetchInstallation({teamId:'my-Team-ID', enterpriseId:'my-enterprise-ID'});

Using a custom state store

A state store handles generating the OAuth state parameter in the installation URL for a given set of options, and verifying the state in the OAuth callback and returning those same options.

The default state store, ClearStateStore, does not use any storage. Instead, it signs the options (using the stateSecret) and encodes them along with a signature into state. Later during the OAuth callback, it verifies the signature.

If you want to conceal the metadata used in the installation URL options you will need to store state on your server (in a database) by providing a custom state store. A custom state implements two methods: generateStateParam() and verifyStateParam(). When you instantiate the InstallProvider use the stateStore option to set your custom state store. And when using the custom state store, you no longer need to use the stateSecret option.

const installer = new InstallProvider({
  clientId: process.env.SLACK_CLIENT_ID,
  clientSecret: process.env.SLACK_CLIENT_SECRET,
  stateStore: {
    // generateStateParam's first argument is the entire InstallUrlOptions object which was passed into generateInstallUrl method
    // the second argument is a date object
    // the method is expected to return a string representing the state
    generateStateParam: (installUrlOptions, date) => {
      // generate a random string to use as state in the URL
      const randomState = randomStringGenerator();
      // save installOptions to cache/db
      myDB.set(randomState, installUrlOptions);
      // return a state string that references saved options in DB
      return randomState;
    },
    // verifyStateParam's first argument is a date object and the second argument is a string representing the state
    // verifyStateParam is expected to return an object representing installUrlOptions
    verifyStateParam:  (date, state) => {
      // fetch saved installOptions from DB using state reference
      const installUrlOptions = myDB.get(randomState);
      return installUrlOptions;
    }
  },
});

Setting the log level and using a custom logger

The InstallProvider will log interesting information to the console by default. You can use the logLevel to decide how much information, or how interesting the information needs to be, in order for it to be output. There are a few possible log levels, which you can find in the LogLevel export. By default, the value is set to LogLevel.INFO. While you’re in development, its sometimes helpful to set this to the most verbose: LogLevel.DEBUG.

// Import LogLevel from the package
const { InstallProvider, LogLevel } = require('@slack/oauth');

// Log level is one of the options you can set in the constructor
const installer = new InstallProvider({
  clientId: process.env.SLACK_CLIENT_ID,
  clientSecret: process.env.SLACK_CLIENT_SECRET,
  stateSecret: 'my-state-secret',
  logLevel: LogLevel.DEBUG,
});

All the log levels, in order of most to least information are: DEBUG, INFO, WARN, and ERROR.

Sending log output somewhere besides the console

You can also choose to have logs sent to a custom logger using the logger option. A custom logger needs to implement specific methods (known as the Logger interface):

Method Parameters Return type
setLevel() level: LogLevel void
setName() name: string void
debug() ...msgs: any[] void
info() ...msgs: any[] void
warn() ...msgs: any[] void
error() ...msgs: any[] void

A very simple custom logger might ignore the name and level, and write all messages to a file.

const { createWriteStream } = require('fs');
const logWritable = createWriteStream('/var/my_log_file'); // Not shown: close this stream

const installer = new InstallProvider({
  clientId: process.env.SLACK_CLIENT_ID,
  clientSecret: process.env.SLACK_CLIENT_SECRET,
  stateSecret: 'my-state-secret',
  // Creating a logger as a literal object. It's more likely that you'd create a class.
  logger: {
    debug(...msgs): { logWritable.write('debug: ' + JSON.stringify(msgs)); },
    info(...msgs): { logWritable.write('info: ' + JSON.stringify(msgs)); },
    warn(...msgs): { logWritable.write('warn: ' + JSON.stringify(msgs)); },
    error(...msgs): { logWritable.write('error: ' + JSON.stringify(msgs)); },
    setLevel(): { },
    setName(): { },
  },
});

Examples


Requirements

This package supports Node v10 LTS and higher. It’s highly recommended to use the latest LTS version of node, and the documentation is written using syntax and features from that version.