Use MultiTeamAuthorization when making slack api requests without an event

[Moh-inc]

I would like to make a slack API request while using the MultiTeamAuthorization middleware as we are using token rotation, is that possible?

[zimeg]

Hey @Moh-inc 👋 API requests are possible without an event for context, even with MultiTeamAuthorization, as long as the enterprise ID and team ID are known. With these IDs you can collect and set a bot token to make requests:

AppConfig config = new AppConfig();
InstallationService installationService = new FileInstallationService(config);

App app = new App();
app.use(new MultiTeamsAuthorization(config, installationService));
app.client().chatPostMessage(ChatPostMessageRequest.builder()
        .token(installationService.findBot("E0123456", "T0123456").getBotAccessToken())
        .channel("C0123456")
        .text("greetings 👾")
        .build());

The enterprise ID can also be null for single workspace teams and a similar method exists to gather the user token with .findInstaller(enterpriseId, teamId, userId).getInstallerUserAccessToken(). Hopefully this helps, but please let me know if you have any other questions!

[Moh-inc]

@zimeg

Follow up question, when making the request, would this run the chatPostMessage through the MultiTeamsAuthorization middleware? I tried tracing the code, but couldn't find an indication that it would run the request through the middleware and hence refresh the token if needed. Another indication of that is that in the above it is passing the token from the installation service.

[zimeg]

Great catch! Since this API call doesn't come with a Request from Slack, the middleware isn't being run. From what I can tell, this refresh logic might have to be reimplemented before making the API call to make sure the token is rotated:

https://github.com/slackapi/java-slack-sdk/blob/6a285c35214540f381a6870ddbff5312d9f61b1c/bolt/src/main/java/com/slack/api/bolt/middleware/builtin/MultiTeamsAuthorization.java#L131-L150

There's additional logic to rotate the user token and request for installations also included in that file, as well as error handling and context updates for requests. Feel free to use what you need, though I would suggest checking the status of app.client().authTest(r -> r.token(botToken)).

Thanks for diving in and pointing this out! 👏

[Moh-inc]

Do you think it would be feasible and a nice addition for the middleware to automatically run when making a request?

[seratch]

@Moh-inc Making such a change could bring behavior changes to the existing code, so we hesitate to make the modification. Also, all Bolt middleware are supposed to be executed only when receiving an incoming request (e.g., Events API, interactivity with buttons and modals) from Slack. Thus, in general, running a middleware without the request data does not work well.

If your goal is to run token rotation logic before making an API call, please reuse only the relevant code within the built-in middleware (meaning the combination of the token rotator untility and installation store) for the use case.

I hope this helps.

[github-actions[bot]]

👋 It looks like this issue has been open for 30 days with no activity. We'll mark this as stale for now, and wait 10 days for an update or for further comment before closing this issue out. If you think this issue needs to be prioritized, please comment to get the thread going again! Maintainers also review issues marked as stale on a regular basis and comment or adjust status if the issue needs to be reprioritized.

[github-actions[bot]]

As this issue has been inactive for more than one month, we will be closing it. Thank you to all the participants! If you would like to raise a related issue, please create a new issue which includes your specific details and references this issue number.

[Moh-inc]

Btw in case anyone has the use case where they would like to force refresh tokens, I took this test code from the slack java bolt code base to force refresh the tokens every once in a while

https://github.com/slackapi/java-slack-sdk/blob/6a285c35214540f381a6870ddbff5312d9f61b1c/bolt/src/test/java/test_locally/app/MessageShortcutTest.java#L54