Stateless OAuth State Store

[WilliamBergamin]

The Node Slack SDK implements a ClearStateStore a stateless OAuth state store using JSON Web Tokens (JWT). It creates a secure, tamper-proof "ticket" (the state parameter) that a user carries during an OAuth handshake to ensure the login process is legitimate and hasn't timed out.

A python stateless OAuth state store can be greatly beneficial for apps that want to minimize the amount of storage they handle.

The Python SDK currently provides the OAuthStateUtils class that can be used to implement a version of this. But this approach is possibly incompatible with the existing StateStore interface, thus it is not supported out of the box in Bolt Python.

Category

• slack_sdk.web.WebClient (sync/async) (Web API client)
• slack_sdk.webhook.WebhookClient (sync/async) (Incoming Webhook, response_url sender)
• slack_sdk.models (UI component builders)
• slack_sdk.oauth (OAuth Flow Utilities)
• slack_sdk.socket_mode (Socket Mode client)
• slack_sdk.audit_logs (Audit Logs API client)
• slack_sdk.scim (SCIM API client)
• slack_sdk.rtm (RTM client)
• slack_sdk.signature (Request Signature Verifier)

Requirements

Please read the Contributing guidelines and Code of Conduct before creating this issue or pull request. By submitting, you are agreeing to those rules.

[WilliamBergamin]

The following is an example to using the OAuthStateUtils with Bolt and FastAPI

import html
import os
import secrets
from typing import Optional

from fastapi.responses import HTMLResponse, PlainTextResponse
from slack_bolt.adapter.fastapi.async_handler import AsyncSlackRequestHandler
from slack_bolt.async_app import AsyncApp
from slack_sdk.oauth.authorize_url_generator import AuthorizeUrlGenerator
from slack_sdk.oauth.state_utils import OAuthStateUtils

from fastapi import FastAPI, Query, Request

app = AsyncApp()
app_handler = AsyncSlackRequestHandler(app)

state_utils = OAuthStateUtils()

authorize_url_generator = AuthorizeUrlGenerator(
    client_id=os.environ.get("SLACK_CLIENT_ID"),
    redirect_uri=os.environ.get("SLACK_REDIRECT_URI"),  # e.g., "https://yourdomain.com/slack/oauth_redirect"
    scopes=["chat:write"],
    user_scopes=[],
)

api = FastAPI()

# Listens to incoming messages that contain "hello"
@app.message("hello")
async def message_hello(message, say):
    # say() sends a message to the channel where the event was triggered
    await say(
        blocks=[
            {
                "type": "section",
                "text": {"type": "mrkdwn", "text": f"Hey there <@{message['user']}>!"},
            }
        ],
        text=f"Hey there <@{message['user']}>!",
    )


@api.post("/slack/events")
async def endpoint(req: Request):
    return await app_handler.handle(req)


@api.get("/slack/install")
async def install():
    state = secrets.token_urlsafe(32)
    cookie = state_utils.build_set_cookie_for_new_state(state)

    url = authorize_url_generator.generate(state)

    html_content = f"""<html>
<head>
<link rel="icon" href="data:,">
<style>
body {{
  padding: 10px 15px;
  font-family: verdana;
  text-align: center;
}}
</style>
</head>
<body>
<h2>Slack App Installation</h2>
<p><a href="{html.escape(url)}"><img alt="Add to Slack" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack@2x.png 2x" /></a></p>
</body>
</html>
    """

    html_response = HTMLResponse(
        headers={"Set-Cookie": cookie},
        content=html_content
    )
    return html_response


@api.get("/slack/oauth_redirect")
async def oauth_callback(
    req: Request,
    code: Optional[str] = Query(None),
    state: Optional[str] = Query(None),
    error: Optional[str] = Query(None),
):
    headers = {"Set-Cookie": state_utils.build_set_cookie_for_deletion()}

    if error:
        return PlainTextResponse(
            content=f"Something is wrong with the installation (error: {error})",
            status_code=400,
            headers=headers,
        )

    if not code:
        return PlainTextResponse(
            content="Missing authorization code",
            status_code=400,
            headers=headers,
        )

    # Verify the state parameter
    if not state_utils.is_valid_browser(
        state=state, request_headers=dict(req.headers)
    ):
        return PlainTextResponse(
            content="Try the installation again (the state value is already expired)",
            status_code=400,
            headers=headers,
        )

    oauth_response = app.client.oauth_v2_access(
        client_id=os.environ.get("SLACK_CLIENT_ID"),
        client_secret=os.environ.get("SLACK_CLIENT_SECRET"),
        redirect_uri=os.environ.get("SLACK_REDIRECT_URI"),
        code=code,
    )

    # Store the oauth response somewhere

    return PlainTextResponse(
        content="Thanks for installing this app!",
        status_code=200,
        headers=headers,
    )