Add support for new Slack granular permission oauth endpoint

[benbrown]

botbuilder-adapter-slack should be be patched to add support for using the new oauth/v2/authorize URL instead of generating a link to oauth/authorize

[yingzhanguipath]

Installing new Slack apps is failing now:
An API error occurred: oauth_authorization_url_mismatch

According to https://api.slack.com/methods/oauth.v2.access,

oauth_authorization_url_mismatch | The OAuth flow was initiated on an incorrect version of the authorization url. The flow must be initiated via /oauth/v2/authorize .

You'll probably need to use slack.oauth.v2.access instead of slack.oauth.access in validateOauthCode in slack_adapter.ts.

When do you think you can fix this issue?

[benbrown]

For now I would directly use the methods available from the Slack SDK rather than using the built-in routes.

[yingzhanguipath]

do you have an estimate on when you can release a fix?

[benbrown]

Not currently. Since legacy apps will continue to need the current functions to remain the way they are.

You can generate your own redirect link, or use the Slack API to do it.

[yingzhanguipath]

From Slack,

Slack has improved how we handle permissions for apps, so you can now request only the specific scopes your app needs. We recommend updating your app’s scopes. Beginning February 21, all new app submissions to the App Directory must use granular permissions. Read our blog post.

All legacy apps will have to migrate soon. Once they migrate to new model, they need to "re-install", which will fail. Current botbuilder-adapter-slack is blocking the migration. You may want to reconsider your decision.

[benbrown]

Hi @yingzhanguipath, I am not sure what is keeping you from generating your own redirect link and oauth validation method using the new URL and APIs.

All legacy apps that are publicly listed in the app store have to change, but the vast majority of Botkit apps are not public and will not be required to change in this timeline. That is not to say that new methods won't be eventually introduced. You should consider opening a pull request!

[mark-nimbix]

I am new to nodejs so I am sure there is a better way to do this. But here it goes. I am working on the yeoman generated slack app. I used the following in the bot.js. Hope it helps until there is a fix native. Oh and if you are using the yeoman generator you will need a newer version of botbuilder-adapter-slack. I used "botbuilder-adapter-slack": "latest" in package.json.

 async function validateOauthCodeNew(code){
    return new Promise(resolve => {
        var querystring = require('querystring');
        var request = require('request');
        
        var form = {
            code: code,
            client_id: process.env.CLIENT_ID,
            client_secret: process.env.CLIENT_SECRET,
            redirect_uri: process.env.REDIRECT_URI
        };
        var formData = querystring.stringify(form);
        var contentLength = formData.length;
        
        request({
          headers: {
            'Content-Length': contentLength,
            'Content-Type': 'application/x-www-form-urlencoded'
          },
          uri: 'https://slack.com/api/oauth.v2.access',
          body: formData,
          json: true,
          method: 'POST'
        }, function (err, res, body) {
          if (body.ok) {
              resolve(body)
          }else {
              throw new Error(body.error);
          }

        });
    });
}

The response is slightly different as well.

       const results = await validateOauthCodeNew(req.query.code);
        // Store token by team in bot state.
        tokenCache[results["team"]["id"]] = results["access_token"]

        // Capture team to bot id
        userCache[results["team"]["id"]] =  results["bot_user_id"] 

[olearycrew]

As an FYI, they will also be forcing all apps to convert to the new method in December of 2020

[sfny]

Proposed a quick solution for oauth v2 #1928

[benbrown]

Included in the next release -> #1929