I am creating a web app that integrates with Slack. I have successfully implemented the Slack OAuth v2 flow, with token rotation enabled. I have run into a problem though:
It appears that if a user goes through the OAuth flow for a workspace they have already authorized, they get the same access / refresh token pair returned to them that was returned for the prior authorization.
To be clear:
- User A creates a new project in my web app
- User A wants to integrate their project with Slack and so goes through the OAuth flow to give my web app an access / refresh token pair so it can communicate with Slack on behalf of their project
- User B – who is in the same Slack Workspace as User A – creates a new project in my web app
- User B also wants to integrate their project with Slack, so they go through the OAuth flow as well
- User B Receives the same access / refresh token pair that User A received
Because I am using token rotation for security, my web app runs a cron job every 6 hours and goes through all of the projects it has that have integrated with Slack (have a access / refresh token saved). For each one, it refreshes the pair via the Slack refresh token flow.
This is a problem, because User A’s token will get refreshed (causing User A’s original token to be invalidated), and then when my app tries to refresh User B’s token, it fails because User B’s token was the same as User A’s at the start (which is now invalid).
I can solve this problem in my cron job by pre-sorting the projects into “groups” based on their shared access tokens, and only doing 1 refresh call per access token / updating all projects with the result that share an access token, but this seems like a hack and potentially not the way Oauth is supposed to work.
Is there a way to ensure Slack always returns a new unique access / refresh token pair during OAuth for a given workspace? If there is, will it invalidate the previous pair (hopefully not)? Is this common among Oauth implementations? Have I misunderstood something?
— Update (Providing More Context)
I am obtaining a Bot OAuth token (starts with xoxb). My OAuth flow is as follows:
- User clicks “Authorize Slack” in my web app
- An API call is sent to my backend at slack/oauth/request that inserts a new temporary row in a “oauth_requests” table containing a randomly generated secret
- In the same API call, the backend then constructs the OAuth URL to redirect the user to, appending the secret into the “state” param of the URL so we can get it back later. Pseudo code from the backend:
const oauth_request = ... // Insert a new request into the oath_requests table to get a temporary secret
const base_url = ... // The base URL of my web app
const authorize_url = new URL('https://slack.com/oauth/v2/authorize')
authorize_url.searchParams.append('scope', encodeURI('chat:write,incoming-webhook,users:read,users:read.email'))
authorize_url.searchParams.append('access_type', 'offline') // Ensure we get a refresh token
authorize_url.searchParams.append('response_type', 'code')
authorize_url.searchParams.append('prompt', 'consent') // Always show the consent screen. Ensures we also always get back a refresh token.
authorize_url.searchParams.append('state', JSON.stringify({
request_secret: oauth_request.secret,
}))
authorize_url.searchParams.append('client_id', MY_SLACK_CLIENT_ID)
authorize_url.searchParams.append('redirect_uri', `${base_url}/extensions/slack/oauth/respond`)
// Generate the final URL we will redirect the user to
const response_url = authorize_url.toString()
- The frontend receives the oauth url and redirects the user to it, which brings the user to the Slack OAuth consent screen where they can grant consent.
- The user grants consent, causing the user to be redirected to /extensions/slack/oauth/respond on my web app.
- My web app analyzes the search params in the browser and extracts the “state” value (which we set as a JSON string containing the oauth secret). It parses the JSON string and sends an API call to my backend at /slack/oauth/respond with the secret and code returned from the OAuth flow in the URL.
- My backend receives the /slack/oauth/respond API call and extracts the secret / verifies that an entry exists in the oauth_requests table that hasn’t expired (just a safety layer).
- If the secret is valid, the backend exchanges the code for an access / refresh token pair, by sending a POST request to https://slack.com/api/oauth.v2.access, content type set to “application/x-www-form-urlencoded”, form data containing:
- code = code from OAuth
- client_id
- client_secret
- redirect_uri (Not sure why we need to provide this but we do)
- grant_type = “authorization_code”
- The response from this call contains an access / refresh token pair. This pair is saved to my db for the project the user went through the Oauth process for.
Then, my cron runs every 6 hours on the backend, where it:
- Gets all projects that have a slack access / refresh token pair associated with them
- For each project, sends a POST to https://slack.com/api/oauth.v2.access, content type “application/x-www-form-urlencoded”, form data of:
- refresh_token = the project’s refresh token
- client_id
- client_secret
- grant_type = “refresh_token”
- The response from this request contains a new access / refresh token pair, which the backend then saves to the project (overwriting it’s old pair)
- Here is the problem, because I’m getting the same access / refresh token returned during the initial Oauth process from the user (because they or another person in their Slack workspace has another project on my web app that they have gone through Slack Oauth for), all subsequent calls to refresh a duplicated token fail because the token has been refreshed already.
- Adam
2