I am first time creating an app on slack which responds to command in channel / group / dm. My questions are
should i use slack bot token or user token , how to decide on it ?
If i use user token do i need any additional scope access , just to read list of users in group / personal / channel only where i am part of
I want to know what are best practices on that
should i use slack bot token or user token , how to decide on it ?
When architecting your app, it's best to require the least number of scopes as required for your app to function. On the same thread, you should only use the User Token if you have a method that only the user token can access or you want to do something on behalf of the user, otherwise it's best to stick with the bot token only.
If i use user token do i need any additional scope access , just to read list of users in group / personal / channel only where i am part of
The method to retrieve a list of users is the conversations.members method. You'll need the specific *:read scope for the type of conversation that you want to pull the users from: im, mpim, private channel or public channel.
Related
I am trying to create a website that checks if the current logged-in user is subscribed to a specific youtube channel. This is meant to restrict the user if they haven't yet. Is something like this even possible?
You would need the user to login via google identity services to be able to access data like that via the api. The api gives you access to the channels the user is subscribed to if the user allows this
I have a question on micro-service architecture. example I have :
An authorization and authentication server which provide JWT (Keycloak for exemple)
2 micro service which communicate between them through REST.
1 micro service is a user service which create a new user in my database on each new user from the Keycloak (may be tomorrow we have Google or Github, it's important to take this in mind). When I'm creating a user I store his subject from claim in a specific field.
1 micro service which store the creatorId, the updateById for blog post for exemple.
Is it better to store in my creatorId and updatedById the subject (Like this I don't need to ask to my user service to identify who is a creator) or to store the userId from my user service and everytime call from my post-service which is the user that made the request (So I made Everytime a rest request to get the user which send the request by passing the JWT token to the user service).
IMO, sending Everytime a rest request will increase the load on the user service but a subject id for a different user can be the same for Google, Github and Keycloak.
I would do the following, so that you can move to a different Authorization Server (Google / Github) in future without too much impact:
User Service creates a row in its Users Table for each new user, with a database surrogate key as the main user id
This user id is saved to your creatorId / updateById fields
Meanwhile the OAuth Id / Sub claim is a column in the Users Table, but is not the main user identifier from business logic
The Posts Service can avoid calling the User Service on every single request if you cache claims in the Posts Service. Some resources of mine might give you some ideas that you can apply to your own solution:
User Management Blog Post
Claims Caching Blog Post
Claims Caching Code
I'm building a Node only application that reads logs in the background and based on an event being read will send a message to a Teams channel directly.
I've been having quite a few issues getting a Graph API access token valid through Username and password.
I have been able to get a Graph API access token with client secret and tenant id which represents access
"without a user". Now that does not allow me to post a message in a channel as I would need to have access "on behalf of a user".
API => https://graph.microsoft.com/v1.0/teams/{team-id}/channels/{channel-id}/messages .
Would there be another way of achieving this? Webhook/Connectors?
Thank you!
There's a few different ways you can post to a teams channel, you can set up like you said an http webhook, where you could call it to post into a channel https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using
You can use power automate (flow) or logic apps to post messages as the flowbot, or you can write a bot/ use the bot framework to register a bot that can post to teams, called proactive messaging: https://learn.microsoft.com/en-us/microsoftteams/platform/resources/bot-v3/bot-conversations/bots-conv-proactive
As for trying to use graph with application permissions, that's not possible, at least for the moment.
I'm working on a React app with an Express backend, with Passport for authentication via JWTs. A registered user needs to be able to send an invitation to someone else who is unregistered, to come use the application. The unregistered user should not be required to register in order to see a subset of our content. THIS IS IMPORTANT - the unregistered user needs to be able to have access to some data that belongs to the registered user and would otherwise be unviewable without being authenticated. I built an invitation model to track these invites, who sent them, who they're being sent to, etc.
What is the best/most secure way to identify this user?
My current guess is to create a unique string and store that in the invitation object and pass that to the unregistered user via email. So they will have a link to our app with ?invite_id=SOME_ID_HERE appended at the end. When they reach our app we will verify that the string matches an invite in our DB.
Is this the best approach? Should I be doing something more secure, maybe a pair of public and private keys? Any advice would be greatly appreciated, thanks!
I think it's best to keep this as a random ID in your database. That way, the users can be removed later. And, if you do associate this new user with that random ID later, you can use an existing profile that you're already storing rather than having them start from scratch.
In other words, create a new ID for this user but set it up so that they can only access things via this URL until they create an account.
Simply looking for some direction, whether it's a link to the docs or an example:
I want to use Passport to authenticate users using Slack/Passport but only if they belong to my company. So, for example,
olaf#mycompany can log in and view protected assets
ishtar#anotherco cannot do either, despite having an account with slack
A cursory search found this issue but I couldn't find anything in the docs.
Thanks!
Slack Passport is using the Sign in with Slack feature. It requires users to already have an existing Slack account for your Slack workspace.
So to ensure that only users belonging to your company get access to your web site all you need to do is verify that you receive an access token for the right Slack workspace, e.g. the one of your company. You can check that by comparing the team_id in the access token.
Apparently you can pass a team parameter during the oauth flow as described here. This allows slack to do the id comparison on their end, but it does require the developer to know what their team's id is ahead of time.