16

I'm working on a Slack app that also links with a web app, which users can log into using Slack. It's very common for a new user to need to both log into the web app and add the app to Slack.

I'd like to let them do this with a single trip through OAuth. Since the web app needs a name, email address, and profile picture for each user, I added the "identity.basic", "identity.email", etc. scopes to the ones requested by the "Add to Slack" button. But it turns out that Slack doesn't allow this. The Slack OAuth page says "Invalid permissions requested: Cannot request both identity scopes and other scopes at the same time".

One alternative might be to request the users:read and users:read.email scopes instead of the identity scopes. But this gives our app more access than it needs; it just needs the info for the current user, not for all users on the team. (It might later need that info for all users, so I'm considering doing this anyway, but I'm not sure if users would like it.)

The other alternative seems to be to make the user go through two different OAuth permissions screens. But this seems cumbersome and not a good user experience.

So the questions are (1) is there a better way, and (2) why doesn't Slack allow combining the identity scopes with others?

UPDATE to clarify, in response to the answer from @erik-kalkoken:

I'm aware of the differences between "Add to Slack" and "Sign In with Slack". I certainly don't intend to take away the option for most users to do a simple "Sign In with Slack". However, with this particular app, it makes no sense to do "Add to Slack" without also being signed in to the web app. This needs to be done by one person per Slack team before other users on that team can use it. Our onboarding process for new teams is a bit cumbersome, and I'm looking for ways to make it simpler and smoother. Since the sign-in and add steps could theoretically be combined into one step, I would prefer to do that.

Part of this may be because we aren't developing a "Slack app"; we're developing a Slack integration for a web app. The web app can be used without using Slack, and has its own concepts of users and communities.

Shyam Habarakada
  • 13,453
  • 3
  • 31
  • 45
aldel
  • 5,191
  • 1
  • 22
  • 31
  • I don't get the "Invalid permissions requested" error as long as I only ask for `identity.*` scopes (list available on this page https://api.slack.com/methods/users.identity) – Frosty Z Jul 20 '17 at 10:18
  • I'm running into what seems like the same problem—a slack app that will behave like a BOT but also needs to implement OAuth so each user can authenticate and associate their slack `user_id` with their unique identity on our app. We are also a _slack integration_ scenario like you describe above. I have a support request thread going with slack to figure out what I'm doing wrong and will report back if I find a solution. – Shyam Habarakada Jan 18 '18 at 17:28

1 Answers1

4

The "better way" in my opinion would be to not combine these two functions on your website, because their effect is very different. I would argue that it would be confusing to users if they are combined and would not make a good user experience.

"Add to Slack" is installing a Slack app for the whole Slack team. You only do this once and its usually done by the admin of a Slack team.

"Sign in with Slack" is used to authenticate any user of a Slack team. You would use this function every time you log into your app and its used by many users of a Slack team.

Erik Kalkoken
  • 23,798
  • 6
  • 53
  • 81
  • 1
    Yes, I understand the difference. I've added some clarification to the question. I suspect there's just no better alternative, though, and Slack is unlikely to change their API to accommodate us. – aldel Apr 10 '17 at 17:39