1

I'm generating an authorization link:

var url = `https://slack.com/oauth/authorize?client_id=*****.*****&redirect_uri=http://localhost:6001/code/slack&state=${state}&scope=channels:read,bot`

In the redirect endpoint:

var url = 'https://slack.com/api/oauth.v2.access';
  var data = {
    'grant_type': 'authorization_code',
    'client_id': "*****.******",
    'code': req.query.code,
    'redirect_uri': 'http://localhost:6001/code/slack'
  };

  axios.post(url, data, {
    headers: {
      'Content-Type': 'application/json; charset=utf-8'
    }
  }).then((response: any) => {
    console.log(response.data)

  }).catch((error: any) => {
    res.status(400).json(error.response.data);
  });

However, when I'm receiving this error for some reason { ok: false, error: 'invalid_code' }

Could it be because I have a http redirect point? I don't think so because I'm able to receive the code and state in the request.

Ibra
  • 912
  • 1
  • 12
  • 31

1 Answers1

1

As per this https://api.slack.com/methods/oauth.v2.access

'Content-Type': 'application/x-www-form-urlencoded'

client_secret is required. code may have to be decoded from URL encoding

Delta George
  • 2,560
  • 2
  • 17
  • 11
  • Client Secret is optional and when I changed the content type I got { ok: false, error: 'invalid_form_data' } – Ibra Apr 14 '22 at 13:58
  • This is how the code looks like in my redirect endpoint query 3382854632534.3405002874401.0fa0c731a5107280809570bbd8a431dad0389329097156eee455d7cccdf67834 is this normal? – Ibra Apr 14 '22 at 14:11
  • The code looks OK. Are you sending JSON - it will not be accepted? client_secret may be optional in native app scenario with PKCE. – Delta George Apr 14 '22 at 14:46
  • I'm sending the data object as noted above and tried removing the strings from the keys in the data object – Ibra Apr 14 '22 at 15:05
  • 1
    That will not work :( You need key=value&key=value string url encoded – Delta George Apr 14 '22 at 15:07
  • Do you mind giving me an example how to do it with axios in your provided answer? – Ibra Apr 14 '22 at 15:09
  • 1
    See this answer: https://stackoverflow.com/questions/35325370/how-do-i-post-a-x-www-form-urlencoded-request-using-fetch – Delta George Apr 14 '22 at 15:13
  • Im getting bad client secret now.. i thought it's optional – Ibra Apr 14 '22 at 15:47
  • and even if I included it I started getting oauth_authorization_url_mismatch becasue im using http instead of https :/ – Ibra Apr 14 '22 at 16:10
  • It appears that you are using Slack's OAuth2 protocol as described here: https://api.slack.com/legacy/oauth. You are authorising at https://slack.com/oauth/authorize. Therefore you have to exchange code for token here: https://slack.com/api/oauth.access Valid scopes are here: https://api.slack.com/legacy/oauth-scopes. I do not see this scope in the list: channels:read,bot – Delta George Apr 14 '22 at 17:59
  • Removing the bot scope wouldn't fix the main problem I'm facing rn which is the request needs to be sent to a https endpoint. – Ibra Apr 14 '22 at 18:08
  • Yes, Slack requires redirect_url to use https. However, I am happy to confirm that the token exchange does work from command line using Httpie: http --form POST https://slack.com/api/oauth.access client_id=XXXXX client_secret=XXXXX code=XXXXX redirect_uri=https ://localhost:8010. – Delta George Apr 14 '22 at 18:23
  • The corresponding auth request: https://slack.com/oauth/authorize?client_id=XXXX& scope=channels:read& redirect_uri=https ://localhost:8010&state=1 – Delta George Apr 14 '22 at 18:26
  • The access endpoint you shared belongs to the legacy module. i,e ( NEW https://slack.com/api/oauth.v2.access). – Ibra Apr 14 '22 at 18:44
  • I think it will be an overfill to setup https on my express server for this. Any idea how to work around it? – Ibra Apr 14 '22 at 18:44
  • 1
    Does this help: https://medium.com/@esplo/an-easy-to-use-proxy-to-access-https-localhost-6cfcf8602e6b – Delta George Apr 14 '22 at 19:03
  • Very interesting resource.. thanks for sharing. I'm not sure how to configure it on pipeline s – Ibra Apr 14 '22 at 19:08
  • 1
    I believe this is beyond the scope of the original question. – Delta George Apr 14 '22 at 20:33
  • Hahahaa true, I might post a question and I’ll let you know how it goes :) thanks a lot – Ibra Apr 14 '22 at 22:01
  • No worries. I believe I answered the original question. May as well accept my answer. – Delta George Apr 14 '22 at 22:11