Just looking for some general advice here.
I want to build a Slack app and publish it publicly to the Slack App Directory, for anyone to use. The basics of the app are:
When you paste a link to a specific domain in a Slack message, a bot will fetch additional information about that link from a Rest API my company built.
The roadblock I'm running into is that our Rest API uses Basic Auth for authentication, and I can't figure how or where in the Slack App setup flow to ask the user to enter their API key.
Does anyone have any advice on how to ask for user input when setting up a Slack app, so that the user can enter their API Key for our REST API?
Thanks!
OK, I will assume that the API key is individual to each user.
I would suggest to ask the API key as part of the installation process for your Slack app on your website and then store the connection between Slack user ID and API key as part of the installation process. It is in fact possible to have individual installations of the same Slack app to a workspace for each user. This is called "configurations" (e.g. the Twitter app for Slack is using this feature).
This requires each user who want to use the app to go through the installation process and also all users need to have permissions to install this particular Slack app (which can be configured by admin).
Related
I am working on a slack bot project. I have some questions about slack App Credentials, bot tokens, and app-level tokens.
Are the slack app credentials like App id, Client id, Client Secret, and Signing Secret varies when I try to install my slack app on different workspaces or keep the same?
Is the slack bot access token will be the same for all distributed workspaces when the app will be published in the app directory?
Is the app-level token is same for all workspaces or only belong to the app?
Hello there and welcome to Slack app development!
Your Slack app's credentials like app ID, client ID, and client secret are specific to your app and remain constant unless you regenerate any of them or create a new app container. If you're building for the public Slack app directory, your app will also have a development edition with a different set of IDs and secrets. These secrets and identifiers are how you identify to Slack that your app is your app and is entitled to work with Slack.
A bot access token is specific to an installation, each workspace you install a bot user into will have a different bot access token. It's up to your app to switch contexts and use the right token based on the workspace involved in a specific interaction or invocation.
The app-level token represents agency between your app and Slack and does not explicitly relate to any workspace it is installed on. It has a very limited set of use cases, but one of them allows you to connect to the Socket Mode interface for the Events API, from a perspective that includes all workspaces your app is installed on simultaneously.
To receive a bot user token upon each workspace installation, you will need to support the OAuth token negotiation sequence. The Bolt SDKs Slack provides support OAuth.
I am trying to download the history messages for a specific Slack app, let's say MLflow.
I found a few open-source tools on Github but none of them actually work for me. It seems that slack has disabled ways for non-admin to create the access token since May 2020. Is there any way for the scraping script to work without tokens? WHat else can I do now?
You can try the app called Backupery for Slack
Disclaimer: I'm the developer of the app and the app is not free, but a free trial is available.
The app can help you to export any conversation from your Slack workspace, including direct messages between you and an app. For example, if I need to export the conversation between me and Jira Cloud app, I just need to select the conversation and export it:
Please also note, the app will automatically create an access token for you. By default, Primary Owner, Owners, Admins and Full Members are allowed to install any applications for Slack (and create access tokens). However, a workspace Admin or Owner may limit installations to pre-approved apps - in this case you will not be able to use the app as it will not be possible to install it.
I have a bot running on a hosting page where users are logged in using SSO.
I want to authenticate the user in the bot automatically when the bot starts and I do not want to use anAuthCard to do it. Just want to automatically authenticate the user without prompting anything to him, just using SSO.
I found an article that refers three ways to authenticate an user in the bot:
Sharing the client's user token directly with the bot via ChannelData
Using an OAuthCard to drive a sign-in experience to any OAuth provider
A third option, called Single Sign-On (SSO), that is in development.
And, according to the article my situation is:
WebChat in an authenticated website where the user is already signed in and the website has a token to the same identity provider but to a different app that the bot needs -> in the future, this is single sign-on, but for now you 'll need to use an OAuthCard.
Is there any update about this functionality? How can I authenticate the user into the bot without using an OAuthCard or a SigninCard?
Thanks in advance
Not sure if you have tried the option of using WebChat with Azure Bot Service’s Authentication which provides built-in authentication capability to authenticate chat users with various identity providers such AAD, GitHub, Facebook, etc.
If you are looking for this built-in feature, then probably you need to build your own custom built solution using Google sign-in by passing the token ID of the authenticated users. Or for an Account linking OAuth2 solution as explained in this link: How to implement Login in Dialogflow chatbot.
Microsoft guys Are looking at the issue now. you can track the progress here.
I implemented a solution that worked for me. I have the bot running in a .net core web app
Here's what I did:
Generate an userId before initializing the BotApp
When the user clicks on the button to open the webchat, I'm opening an authenticated controller in a popup that receives the generated userId. The page is authenticated, so you will need to authenticate. I store the userId in my DB, along with access_token and some user information. The controller should be created in the same webapp where the bot is running.
After storing all the information I close the tab and start the BotApp with the generated userId
In bot code you will be able to query your DB (using userId).
To wait until the popup close, you can have a look into this here.
I hope that this helps someone.
Best regards
I am building a Slack App and planning to distribute it in the Slack App Directory so that other users can install it. I am using Slash commands for this app. Now when I get my API called after some user type my Slash command then I want to access some of the user information using WEB APIs. But to access the info I need user token to call the WEB API. With Slash command request object I am not getting any user token. So my question is how can I get the user token at this time to access the information. Do I need to save this when user installs the app or do I need to provide the Add to Slack button for this?
Yes, your app will receive the access token for a team / workspace only as result of a successful installation process and should then store it together with the team ID for later use. Each slash request includes the team ID which allows you identify the correct access token for each team.
There are two approaches for installing Slack apps, which can be chosen on the "Manage your apps" pages under "Basic Information". Here is how it looks:
Installation from landing page
Having your own website with a "Add to Slack" button is the easiest way to to that. You website will then need to handle the installation process, which basically is a Oauth flow. You should also make sure to request the right permissions, so that you can later access the API methods that you need. This installation approach is called "Installation from landing page".
Installation from App Directory
Another way to install your app is "Install from App Directory". This will allow users to start the OAuth process directly from the App directory, instead of having to click a "Add to Slack button" on a website. Its has the same effect as clicking a custom "Add to Slack button", so you still need a website behind it to handle the full OAuth flow.
Important: This option is only available to apps that have been approved by Slack and are listed on the App directory.
Further Reading
Installation approaches
Oauth process with Slack
In messaging platforms like Slack and HipChat you can integrate apps that can post messages to groups without them being sent from a user e.g.
Defect Management System: A new defect was logged at 12pm
Instead of:
John Smith: A new defect was logged at 12pm
Is it possible to do the same thing in Yammer?
There are two options available for you:
1 - You can create a new user on Yammer, name it however you want (e.g., "Defect Management System" with a snazzy avatar), then take the user's OAUTH token and use it to impersonate that user programmatically. This is fine for quick development.
2 - You can create a new user on Yammer, name it however you want, then register a new app on Yammer to get a permanent token and client ID, then use those to impersonate that user programmatically. This is the right way to do it. You can read more about how to do this on https://developer.yammer.com/introduction/#gs-registerapp.
This is an example of a user that we impersonate. It is a bot on our network. It is a separate account in AD and is registered as an app in Yammer and interacts with Yammer automatically.
You are always impersonating a user in Yammer via the API, there isn't a way to impersonate a group, in the way that Slack does (i.e. being able to override the username displayed and replace it with a bot for example in your payload)
If this app is for internal use, you could consider creating a dummy user as a bot to post defects, and then using Custom Object Types & Actions in Open Graph to further customize the messages. Obviously there are some business & administration considerations in doing that, not just development ones.