Building a Slack app that authenticates into external system using OAUTH

I am in the process of building a small test slack app and not clear on the architecture that is needed for authentication. This will be a NodeJS application that lives on Heroku.

When a user uses a /slash command, it is going to invoke logic that will query an external CRM system and return data. In order to authenticate into this external system, it would need to send the user through an OAUTH flow so that the access to the data is governed by the invoking users' permissions.

My confusion is to how to handle or persist these auth tokens/refresh tokens that we get back from the user authenticating during this process.

Example Steps:

  1. Runs /user
  2. Checks to see if user has authorized on this external system
  3. If not, take the user through the external systems oauth flow
  4. After authentication, we have the token that can be used to make callouts to the external systems API as that user.
  5. Makes callout and returns data

How would I persist or check for the slack users auth/refresh token when they run the command to see if we already have it? If the token already existed, I wouldn't need to send them through the OAUTH flow again.

My Thoughts on the approach:

It almost seems like there needs to be a data store of some type that contains the slack user ID, auth token, and refresh token. When the user invokes the command, we check to see if that user is in the table and if so, we use their token to make the API call.

If they don't exist, we then send them through the OAUTH flow so we can store them.

Final Thoughts:

In terms of security, is having a table of tokens the correct way to do this? It almost seems like it's the equivalent of storing a plain text password if someone were to get that token.

Is there a better way to handle this or is this a common approach?

Read more here:

Content Attribution

This content was originally published by SBB at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: