bolt-python icon indicating copy to clipboard operation
bolt-python copied to clipboard
verified publisher icon slackapi

Clarification about Request Verification & Oauth for Private Apps

Open kabam-blambert opened this issue 10 months ago • 2 comments

I have two questions that stem from a bit of a lack of understanding about slack app Oauth flow and request verification that I hope can be cleared up relatively easily.

  1. For a private app that is installed into enterprise workspaces by an administrator, is there a reason to implement the oauth flow? I see many guides for installing apps via the Oauth flow, but this seems to only apply to publicly distributed apps. In the case of an organization where an admin manages all installations, we can't funnel users through the install oauth flow as all the guides suggest. I do see that we could initially prompt them to follow the oauth link and have them complete the flow, but if our app doesn't impersonate users is there a reason to do this?

  2. I couldn't find much detailed information about request verification in the docs. I see that there is a request verification middleware, but I was wondering if providing the signing secret when instantiating the app takes care of verification or if there are additional steps needed?

Thanks for the clarifications. I'm a big fan of Bolt!

kabam-blambert avatar Apr 15 '25 19:04 kabam-blambert

👋 It looks like this issue has been open for 30 days with no activity. We'll mark this as stale for now, and wait 10 days for an update or for further comment before closing this issue out. If you think this issue needs to be prioritized, please comment to get the thread going again! Maintainers also review issues marked as stale on a regular basis and comment or adjust status if the issue needs to be reprioritized.

github-actions[bot] avatar May 19 '25 00:05 github-actions[bot]

Hey @kabam-blambert 👋 Thanks for the questions and apologies for a slow response here!

I will share my best understandings, but please let me know if more clarification is needed or confusion arises from this:

  1. For a private app that is installed into enterprise workspaces by an administrator, is there a reason to implement the oauth flow?

The OAuth process is most useful for gathering bot tokens unique to separate installations across various workspaces or user tokens, as you're suggesting.

If the tokens you need can be collected without this, the OAuth process might not be needed.

  1. I was wondering if providing the signing secret when instantiating the app takes care of verification or if there are additional steps needed?

You called it with the builtin middleware and signing secret provided to the app constructor! This implementation can be found in the slack_sdk project 🐍 ✨

We've been reorganizing documentation these past few weeks, but this page has more details! 📚

I hope developments have been going alright but I understand enterprise requirements can make these questions important before getting started 🤖

zimeg avatar May 22 '25 02:05 zimeg

👋 It looks like this issue has been open for 30 days with no activity. We'll mark this as stale for now, and wait 10 days for an update or for further comment before closing this issue out. If you think this issue needs to be prioritized, please comment to get the thread going again! Maintainers also review issues marked as stale on a regular basis and comment or adjust status if the issue needs to be reprioritized.

github-actions[bot] avatar Jun 23 '25 00:06 github-actions[bot]

As this issue has been inactive for more than one month, we will be closing it. Thank you to all the participants! If you would like to raise a related issue, please create a new issue which includes your specific details and references this issue number.

github-actions[bot] avatar Jul 07 '25 00:07 github-actions[bot]