"Sign in with Slack" is unsupported by Bolt and its underlying OAuth module

[justman00]

Description

Currently, I am developing a slack app, build with bolt. I have implemented OAuth as suggested here. So, naturally bolt has created this endpoint /slack/install for installing and authorizing the slack app into a workspace, when I (the creator) click it and try to authorize it, it works perfectly fine, however from time to time with some small issuers, but when somebody else from the exterior does it, it always throws an error: Something went wrong when authorizing this app.. Logs:

[DEBUG]  web-api:WebClient:0 initialized
[DEBUG]  web-api:WebClient:0 apiCall('oauth.v2.access') start
[DEBUG]  web-api:WebClient:0 will perform http request
[DEBUG]  web-api:WebClient:0 http response received
[DEBUG]  web-api:WebClient:1 initialized
[DEBUG]  web-api:WebClient:1 apiCall('auth.test') start
[DEBUG]  web-api:WebClient:1 will perform http request
[DEBUG]  web-api:WebClient:1 http response received
[DEBUG]  web-api:WebClient:2 initialized
[DEBUG]  web-api:WebClient:2 apiCall('auth.test') start
[DEBUG]  web-api:WebClient:2 will perform http request
[DEBUG]  web-api:WebClient:2 http response received
[ERROR]  OAuth:InstallProvider:0 Error: An API error occurred: invalid_auth
    at Object.platformErrorFromResult (/path-to-/node_modules/@slack/web-api/dist/errors.js:51:33)
    at WebClient.apiCall (/path-to-/node_modules/node_modules/@slack/web-api/dist/WebClient.js:158:28)
    at processTicksAndRejections (internal/process/task_queues.js:93:5) {
  code: 'slack_webapi_platform_error',
  data: {
    ok: false,
    error: 'invalid_auth',
    response_metadata: { scopes: [Array] }
  }
}
[DEBUG]  OAuth:InstallProvider:0 calling passed in options.failure

What type of issue is this? (place an x in one of the [ ])

• bug
• enhancement (feature request)
• question
• documentation related
• example code related
• testing related
• discussion

Requirements (place an x in each of the [ ])

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

---

Bug Report

Here is the code:

import { App, LogLevel, ExpressReceiver } from '@slack/bolt';
import { Low, JSONFile } from 'lowdb';
import { join } from 'path';
import { sendWelcomeMessage } from './views/messages.js';
import { createUserProfile } from './auth/authGetTilo.js';
import { newUserHomePage } from './views/homePage.js';

const file = join('./db.json');
const adapter = new JSONFile(file);
const db = new Low(adapter);

const receiver = new ExpressReceiver({
  signingSecret: process.env.SLACK_SIGNING_SECRET,
  logLevel: LogLevel.DEBUG,
  clientId: process.env.SLACK_CLIENT_ID,
  clientSecret: process.env.SLACK_CLIENT_SECRET,
  stateSecret: 'someStateSecret',
  scopes: ['commands', 'chat:write'],
  installationStore: {
    storeInstallation: async (installation) => {
      // change the line below so it saves to your database
      console.log('installation', installation);
      await db.read();
      db.data = db.data || {};
      db.data.installation = installation;
      await db.write();
      // save to db

      sendWelcomeMessage(app, installation);
      createUserProfile(app, installation, db)
    },
    fetchInstallation: async (installQuery) => {
      // change the line below so it fetches from your database
      console.log('installQuery', installQuery);
      await db.read();
      if (db.data.installation) {
        return db.data.installation;
      }

      throw new Error('Failed fetching installation');
    },
    deleteInstallation: async (installQuery) => {
      // change the line below so it deletes from your database
    },
  },
  installerOptions: {
    userScopes: ['identity.basic', 'identity.email'],
    callbackOptions: {
      success: (installation, installOptions, req, res) => {
        res.end('success');
      },
      failure: (error, installOptions, req, res) => {
        res.end('failure');
      },
    },
  },
});

const app = new App({ receiver });

// All the room in the world for your code
app.event('app_home_opened', params => newUserHomePage(params, db));

(async () => {
  // Start your app
  await app.start(process.env.PORT || 3000);

  console.log('⚡️ Bolt app is running!');
})();

please ignore the LowDB part, it's just for testing

Reproducible in:

package version: "^3.5.0"

node version: v14.13.1

OS version(s): macOS Big Sur

Expected result:

Users are able to correctly authorize the app

Actual result:

An error is being thrown, without any message on how to solve it

[seratch]

Hi @justman00, thanks for asking the question!

userScopes: ['identity.basic', 'identity.email'],

Your app cannot have identity.* user scopes along with others such as commands. When your app has those, only identity.* should be passed to the authorize URL. If you need some user token scopes, other user scopes can co-exist with bot scopes.

Also, we've recently renewed "Sign in with Slack" to make it compatible with OpenID Connect. The new way requires openid, email (optional), profile (optional) instead of identity.*. If you are building a new app using "Sign in with Slack" functionality, consider the latest one for it. https://api.slack.com/authentication/sign-in-with-slack

I hope this was helpful to you!

[justman00]

I did remove the commands scope but the issue seems to be happening still, after revoking my own access, I can reproduce this all the time

[seratch]

Hi @justman00, I checked this issue today and found that @slack/bolt and its underlying @slack/oauth package do not support "Sign in with Slack" feature at this moment.

We may update the package to support the functionality in the future (we haven't decided it yet) but in the short term, please consider implementing the "Sign in with Slack" flow on your own. The code should be quite simple. Here is a simple example app built with Koa: slackapi/node-slack-sdk#1310

I hope this was helpful to you.

[justman00]

thank you @seratch looking forward to what's next for the bolt framework and its integrations