infojunkie
commented
8 years ago Looks like this is how Slack API behaves: https://api.slack.com/docs/oauth# section "How the team parameter behaves".
Closed infojunkie closed 8 years ago
infojunkie
commented
8 years ago Looks like this is how Slack API behaves: https://api.slack.com/docs/oauth# section "How the team parameter behaves".
ginjo
commented
8 years ago Just FYI, and maybe everyone knows this already, but it is possible to force authorization against a specific team at Slack, even if the user/browser is not logged in to that team yet.
A Slack support rep shined a light on this (I think undocumented) feature, and the answer was simple: Prepend the team's subdomain to the oauth/authorize URL.
https://mysubdomain.slack.com/oauth/authorize?scope=identity.basic,more.scope.stuff...I don't think the official omniauth-slack handles that, so I added the feature to the ginjo fork. Just include the subdomain, as a parameter, in your initial call to your app's authorization URL.
https://myapp.com/auth/slack?subdomain=myteamsubdomainThe gem will take your subdomain param and prepend it to the Slack URL, before redirecting your browser. Once you're on the Slack pages, the entire oauth process is scoped to that domain only.
Note that this is a runtime "per-request" parameter in omniauth-slack. I didn't extend the feature to the gem's middleware setup, though I suppose there could be a use cases for that as well.
I added the team ID to the configuration as per https://github.com/kmrshntr/omniauth-slack#team. This works well if the user is part of the requested team: they will only be able to login through this team.
However, if the user is a member of a different Slack team, but NOT of the requested team, then they will still be able to login through the different team. Is this by design or a bug?