Slack Oauth: Automatically authorize user if user had already authorized app

Question

I’m working on a Slack app that a user can install to a workspace using Slack’s Oauth flow. After installing and configuring the app, I’m using Oauth to allow the user to log in and make changes to the app configuration.

The flow for a new user uses the "Add to Slack" button which asks the user to agree to allow bot and identity.* scopes after which my app retrieves and stores bot and user tokens.

Now I'd like to allow the same user to sign in using the "Sign in with Slack" Oauth flow. Per the Slack documentation, the "Sign in with Slack" flow allows just this using the same /oauth/authorize endpoint, but requests only one of the identity.* scopes (I'm using identity.basic):

<a href="https://slack.com/oauth/authorize?scope=identity.basic&client_id=REDACTED">Sign in with Slack</a>

The user has already authorized my app for bot and identity.* scopes on the initial app install, but surprisingly he/she is re-prompted to confirm allowing my app identity.* scopes on each "Log in with Slack" action.

The slack documentation implies that subsequent login attempts will result in an automatic redirect:

After a user clicks your Sign in with Slack button, their web browser should arrive on Slack's servers.

Your application will wait patiently while the user handles some business or Slack just sends them on their way back to your redirect URL.

(emphasis mine)

However, Slack always requests that the user (re-)authorize my app for identity.* scopes. How can I log users in using Slack with a one-click flow?

Update: Response from Slack

I reached out to the Slack team and got this response:

Unfortunately it looks like we'll need to update the documentation as for the moment what's described there is not accurate. Particularly:

Returning users won’t be distracted by unnecessary approvals, we’ll send them back to your site, service, or app as fast as we can!

Due to a change we made to our authentication flow where we now allow users to select what workspace they're authing with, we present them with the "scopes" or "permissions" page again. This is definitely something we should consider make better but for the time being it's the expected behaviour and we're going to revise the documentation to eflect that.

Sorry for the bad news.

As of 11/17/19 the Sign in with Slack documentation has not been updated.

Answer 1

For your requirement to implement a web page that is linked to your Slack app with authenticated Slack user you have two alternatives:

Sign-in with Slack

One approach would be to use Sign-in with Slack to authenticate users for your web page. This allows you to clearly authenticate users. However, the drawback is that users would have to repeat the login process every time they open this web page again. This can be somewhat mitigated by using cookies to keep users logged in between browser restarts until they manually log out of the web app.

Note that this auth process is independent from the user logging into his Slack workspace.

Own authentication

Alternatively you can let users directly open your web app from Slack, e.g. by clicking a link button you provide. This URL needs to include information that would allow your web app to get the users current context, e.g. his Slack and User ID.

Note that this URL can be obtainable and potentially misused by a user, so you would need to add measure to protect it e.g. by encrypting the IDs or by adding a secure hash or a one time token ...