Slack OAuth
The @slack/oauth
package makes it simple to setup the OAuth flow for Slack apps. It supports V2 OAuth for Slack Apps as well as V1 OAuth for Classic Slack apps. Slack apps that are installed in multiple workspaces, like in the App Directory or in an Enterprise Grid, will need to implement OAuth and store information about each of those installations (such as access tokens).
The package handles URL generation, state verification, and authorization code exchange for access tokens. It also provides an interface for easily plugging in your own database for saving and retrieving installation data.
Installation
$ npm install @slack/oauth
Usage
These examples show how to get started using the most common features. You'll find more extensive documentation on the package's website.
Before building an app, you'll need to create a Slack app and install it to your development workspace. You'll also need to copy the Client ID and Client Secret given to you by Slack under the Basic Information of your app configuration.
It may be helpful to read the tutorials on getting started and getting a public URL that can be used for development.
Initialize the installer
This package exposes an InstallProvider
class, which sets up the required configuration and exposes methods such as generateInstallUrl
, handleCallback
, authorize
for use within your apps. At a minimum, InstallProvider
takes a clientId
and clientSecret
(both which can be obtained under the Basic Information of your app configuration). InstallProvider
also requires a stateSecret
, which is used to encode the generated state, and later used to decode that same state to verify it wasn't tampered with during the OAuth flow. Note: This example is not ready for production because it only stores installations (tokens) in memory. Please go to the storing installations in a database section to learn how to plug in your own database.
const { InstallProvider } = require('@slack/oauth');
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateSecret: process.env.SLACK_STATE_SECRET,
});
Using a classic Slack app
const { InstallProvider } = require('@slack/oauth');
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateSecret: process.env.SLACK_STATE_SECRET,
authVersion: 'v1'
});
Generating an installation URL
You'll need an installation URL when you want to test your own installation, in order to submit your app to the App Directory, and if you need an additional authorizations (user tokens) from users inside a team when your app is already installed. These URLs are also commonly used on your own webpages as the link for an "Add to Slack" button. You may also need to generate an installation URL dynamically when an option's value is only known at runtime, and in this case you would redirect the user to the installation URL.
The installProvider.generateInstallUrl()
method will create an installation URL for you. It takes in an options argument which at a minimum contains a scopes
property. installProvider.generateInstallUrl()
options argument also supports metadata
, teamId
, redirectUri
and userScopes
properties.
installer.generateInstallUrl({
scopes: ['channels:read']
})
Adding custom metadata to the installation URL
You might want to present an "Add to Slack" button while the user is in the middle of some other tasks (e.g. linking their Slack account to your service). In these situations, you want to bring the user back to where they left off after the app installation is complete. Custom metadata can be used to capture partial (incomplete) information about the task (like which page they were on or inputs to form elements the user began to fill out) in progress. Then when the installation is complete, that custom metadata will be available for your app to recreate exactly where they left off. You must also use a custom success handler when handling the OAuth redirect to read the custom metadata after the installation is complete.
installer.generateInstallUrl({
scopes: ['channels:read'],
metadata: JSON.stringify({some:'sessionState'})
})
Note: custom metadata is visible to the user, so don't store any secret information in the metadata. The installation provider will ensure that none of the metadata has been tampered with when the user returns. To change how metadata is handled, including hiding it from users, read about using a custom state store.
Handling the OAuth redirect
After the user approves the request to install your app (and grants access to the required permissions), Slack will redirect the user to your specified redirect url. You can either set the redirect url in the app’s OAuth and Permissions page or pass a redirectUri
when calling installProvider.generateInstallUrl
. Your HTTP server should handle requests to the redirect URL by calling the installProvider.handleCallback()
method. The first two arguments (req
, res
) to installProvider.handleCallback
are required. By default, if the installation is successful the user will be redirected back to your App Home in Slack (or redirected back to the last open workspace in your slack app for classic Slack apps). If the installation is not successful the user will be shown an error page.
const { createServer } = require('http');
const server = createServer((req, res) => {
if (req.url === '/slack/oauth_redirect') {
installer.handleCallback(req, res);
}
})
server.listen(3000);
Using an Express app
You can easily use installer.handleCallback
within an Express app by setting up a route for the OAuth redirect.
app.get('/slack/oauth_redirect', (req, res) => {
installer.handleCallback(req, res);
});
Using a custom success handler and custom failure handler
If you decide you need custom success or failure behaviors (ex: wanting to show a page on your site with instructions on how to use the app), you can pass in your own success/failure functions.
const callbackOptions = {
success: (installation, installOptions, req, res) => {
const htmlResponse = `<html><body>Success!</body></html>`
res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
res.end(htmlResponse);
},
failure: (error, installOptions , req, res) => {
res.writeHead(500, { 'Content-Type': 'text/html; charset=utf-8' });
res.end('<html><body><h1>Oops, Something Went Wrong! Please Try Again or Contact the App Owner</h1></body></html>');
}
}
app.get('/slack/oauth_redirect', (req, res) => {
installer.handleCallback(req, res, callbackOptions);
});
---
Storing installations in a database
Although this package uses a default MemoryInstallationStore
, it isn't recommended for production use since the access tokens it stores would be lost when the process terminates or restarts. Instead, InstallProvider
has an option for supplying your own installation store, which is used to save and retrieve install information (like tokens) to your own database.
An installation store is an object that provides two methods: storeInstallation
, and fetchInstallation
. storeInstallation
takes an installation
as an argument, which is an object that contains all installation related data (like tokens, teamIds, enterpriseIds, etc). fetchInstallation
takes in a installQuery
, which is used to query the database. The installQuery
can contain teamId
, enterpriseId
, userId
, conversationId
and isEnterpriseInstall
.
In the following example, the installationStore
option is used and the object is defined in line. The methods are implemented by calling an example database library with simple get and set operations.
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateSecret: process.env.SLACK_STATE_SECRET,
installationStore: {
storeInstallation: async (installation) => {
if (installation.isEnterpriseInstall) {
return myDB.set(installation.enterprise.id, installation);
} else {
return myDB.set(installation.team.id, installation);
}
throw new Error('Failed saving installation data to installationStore');
},
fetchInstallation: async (installQuery) => {
if (installQuery.isEnterpriseInstall && installQuery.enterpriseId !== undefined) {
return await myDB.get(installQuery.enterpriseId);
}
if (installQuery.teamId !== undefined) {
return await myDB.get(installQuery.teamId);
}
throw new Error('Failed fetching installation');
},
deleteInstallation: async (installQuery) => {
if (installQuery.isEnterpriseInstall && installQuery.enterpriseId !== undefined) {
return await myDB.delete(installQuery.enterpriseId);
}
if (installQuery.teamId !== undefined) {
return await myDB.delete(installQuery.teamId);
}
throw new Error('Failed to delete installation');
},
},
});
Reading tokens and other installation data
You can use the the installationProvider.authorize()
function to fetch data that has been saved in your installation store.
const result = installer.authorize({teamId: 'my-team-ID'});
Reading extended installation data
The installer.authorize()
method only returns a subset of the installation data returned by the installation store. To fetch the entire saved installation, use the installer.installationStore.fetchInstallation()
method.
const result = await installer.installationStore.fetchInstallation({teamId:'my-team-ID', enterpriseId:'my-enterprise-ID'});
Using a custom state store
A state store handles generating the OAuth state
parameter in the installation URL for a given set of options, and verifying the state
in the OAuth callback and returning those same options.
The default state store, ClearStateStore
, does not use any storage. Instead, it signs the options (using the stateSecret
) and encodes them along with a signature into state
. Later during the OAuth callback, it verifies the signature.
If you want to conceal the metadata
used in the installation URL options you will need to store state
on your server (in a database) by providing a custom state store. A custom state implements two methods: generateStateParam()
and verifyStateParam()
. When you instantiate the InstallProvider
use the stateStore
option to set your custom state store. And when using the custom state store, you no longer need to use the stateSecret
option.
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateStore: {
generateStateParam: (installUrlOptions, date) => {
const randomState = randomStringGenerator();
myDB.set(randomState, installUrlOptions);
return randomState;
},
verifyStateParam: (date, state) => {
const installUrlOptions = myDB.get(randomState);
return installUrlOptions;
}
},
});
Setting the log level and using a custom logger
The InstallProvider
will log interesting information to the console by default. You can use the logLevel
to decide how
much information, or how interesting the information needs to be, in order for it to be output. There are a few possible
log levels, which you can find in the LogLevel
export. By default, the value is set to LogLevel.INFO
. While you're
in development, its sometimes helpful to set this to the most verbose: LogLevel.DEBUG
.
const { InstallProvider, LogLevel } = require('@slack/oauth');
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateSecret: process.env.SLACK_STATE_SECRET,
logLevel: LogLevel.DEBUG,
});
All the log levels, in order of most to least information are: DEBUG
, INFO
, WARN
, and ERROR
.
Sending log output somewhere besides the console
You can also choose to have logs sent to a custom logger using the logger
option. A custom logger needs to implement
specific methods (known as the Logger
interface):
Method | Parameters | Return type |
---|
setLevel() | level: LogLevel | void |
setName() | name: string | void |
debug() | ...msgs: any[] | void |
info() | ...msgs: any[] | void |
warn() | ...msgs: any[] | void |
error() | ...msgs: any[] | void |
A very simple custom logger might ignore the name and level, and write all messages to a file.
const { createWriteStream } = require('fs');
const logWritable = createWriteStream('/var/my_log_file');
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateSecret: process.env.SLACK_STATE_SECRET,
logger: {
debug(...msgs): { logWritable.write('debug: ' + JSON.stringify(msgs)); },
info(...msgs): { logWritable.write('info: ' + JSON.stringify(msgs)); },
warn(...msgs): { logWritable.write('warn: ' + JSON.stringify(msgs)); },
error(...msgs): { logWritable.write('error: ' + JSON.stringify(msgs)); },
setLevel(): { },
setName(): { },
},
});
Examples
Requirements
This package supports Node v18 and higher. It's highly recommended to use the latest LTS version of
node, and the documentation is written using syntax and features
from that version.
Getting Help
If you get stuck, we're here to help. The following are the best ways to get assistance working through your issue:
- Issue Tracker for questions, feature requests, bug reports and
general discussion related to these packages. Try searching before you create a new issue.
- Email us in Slack developer support:
developers@slack.com
- Bot Developers Hangout: a Slack community for developers
building all types of bots. You can find the maintainers and users of these packages in #sdk-node-slack-sdk.