Integrations Platform OAuth flow external install can only initiate once

[shaunpersad]

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

1. Initiate the external install flow, e.g. https://sentry.io/sentry-apps/<your-integration-slug>/external-install/
2. This can run successfully the first time.
3. Try initiating the external install flow after a successful installation, and the flow will stop, with a message saying the integration is already installed.

Expected Result

The flow should be able to be initiated as many times as needed.

For an example of why, we've created the official Cloudflare Sentry integration: https://developers.cloudflare.com/workers/observability/sentry-integration

This integration must be installed from the customer's Cloudflare dashboard, where the rest of our Workers integrations live.

The main goal is to have the user go through Sentry's OAuth so that we can 1) list their Sentry projects and 2) get the Sentry DSN for the selected project.

The customer is only ever able to initiate the external install flow once. We've gotten around this issue by creating a link on our end between a Cloudflare account and a Sentry org, so that if the same account goes through the OAuth flow more than once, they receive the same credentials.

This workaround is problematic because multiple users may use a single Cloudflare account, and they may want to integration with different Sentry orgs for different projects.

Actual Result

The flow can only successfully proceed once.

Product Area

Settings - Integrations

Link

No response

DSN

No response

Version

No response

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-settings-integrations for triage ⏲️

[leedongwei]

Hi! Thanks for reaching out. I'm trying to understand the user flow that you're trying to support

This workaround is problematic because multiple users may use a single Cloudflare account, and they may want to integration with different Sentry orgs for different projects.

If I have 2 separate projects (e.g. a ridesharing app and a food delivery app), does Cloudflare have the concept of organizations/projects that are the parent of the workers? Or are workers always a child of user accounts?

[shaunpersad]

The hierarchy is that at the top level, there is a Cloudflare account. An account can (and usually does) have multiple users, e.g. a company account with multiple employees, or an account for individual teams with multiple team members. Users can create workers, but the workers belong to the account, not the user.

However, the issue I'm describing can happen even if there's just one user in the account, because you can choose to set up the integration for individual workers.

So if I have two workers, the first time I set up the integration for a worker, everything works as expected. If I then try to set up the integration on the second worker, without our workaround, the Sentry auth flow would be initiated but would fail since it does not allow you to go through the flow more than once if the install exists on the Sentry side.

Let me know if you need further clarification. Also happy to set up a call to walk through the user experience as well.

[leedongwei]

Thanks for the clarification. Cloudflare's "account" is equivalent to Sentry's "organization".

they may want to integration with different Sentry orgs for different projects.

I'm rather hesitant to support a workflow that will enable "many to many" relationship between Cloudflare account and Sentry organization.

Is that a Cloudflare customer ask? And is that common among SaaS apps that Cloudflare integrates with?

[shaunpersad]

Regarding the "many to many" relationship scenario you mentioned, this is still a problem even with one Cloudflare account => one Sentry org scenario (a "one to one" relationship), because the integration is per worker, so if I as a user wanted to install the Sentry integration on more that one worker (with the same Sentry org and same CF account on both), I couldn't because the flow only works once.

I think the main issue here is that we're trying to use the "external install" flow as an oauth2 flow, because that's really what we need: a flow to get a user's permission to make API calls to Sentry on their behalf. Typical oauth2 flows allow you to go through the flow as many times as possible, because you usually want to be able to mint tokens as needed (often with different permissions for different scenarios).

The issue with the Sentry "external install" flow is that it remembers that you went through the flow once and prevents you from doing it again, which is non-standard behavior from an oauth2 perspective.

We'd actually started out building the integration with Sentry's older (actual) oauth2 flow, which worked perfectly because it was a standard flow, but we were told it was deprecated in favor of the new integration platform, but the new platform's external install flow isn't really a full replacement, since it's doing something else ("installing" an app in Sentry's dashboard, which isn't really what we were trying to accomplish).

If we could get the "external install" flow to at least allow more than one initiation, I think that would get it closer to a regular oauth2 flow.

[leedongwei]

Gotcha. My team just took over the integrations domain and we haven't touched the integration platform yet. Let me see what I can do. Can you email me at team-ecosystem@sentry.io and let me know your timelines for this integration?

[shaunpersad]

@leedongwei I just sent an email to that address but it bounced. Is there another address we can use?

[leedongwei]

@shaunpersad Sorry! You can send me to me directly at dlee@sentry.io.