passport-slack-oauth2 is NOT using the new oauth flow by slack

[HazemSayad]

I created a new app in slack and noticed that the scopes I am adding from slack's oauth scopes https://api.slack.com/scopes are not working and resulting in an error
But trying scopes from the legacy tag https://api.slack.com/scopes?filter=bot would work

using the commands scope would fail while using the bot scope would work.

commands scope is new, while bot scope is now legacy

New Slack apps are installed with a V2 OAuth 2.0 flow.

We're sorry about the double V2s: OAuth 2.0 refers to the 2.0 version of the OAuth spec, and this is our second version of OAuth 2.0. For the rest of this guide, we'll just call it OAuth and drop all the 2s.

The OAuth flow for new Slack apps works exactly the same way as the OAuth flow for classic Slack apps. Only a few details have changed slightly: URL and method names have gained a v2, and the shape of the OAuth access response now puts bot access tokens first.

We've created this V2 OAuth flow because it provides more granular Slack scopes, especially for bot users. With the new OAuth flow, your app can act with its own identity, instead of acting on behalf of users—all without requesting excessive permissions that could cause installs to be rejected.

https://api.slack.com/authentication/oauth-v2

Will the strategy be updated to the new oauth2.0 flow by slack anytime soon?

[jonstorer]

Slack's new OAuth2 v2 authentication implementation breaks OAuth2 with the passport-slack-oauth2 library.

Passport's goal is to authenticate a User. Slack has chosen to to implement an authentication strategy to allow authenticating multiple contexts. Primarily bot and user. In order to achieve this goal, Slack's OAuth2 v2 implementation may return multiple tokens (depending on the scope & user_scope passed into the authorization redirection request).

The OAuth2 standard does not support a multi-token response within the getOAuthAccessToken request. Therefore, in order for Slack to achieve the multiple authentication goal, a second token is nested within the first token response.

Example Slack OAuth2 v2 token response (bot token with nested user token)

{
  ok: true,
  app_id: 'app-id',

  // bot token
  bot_user_id: 'bot-user-id',
  scope: 'scope1,scope2',
  access_token: 'bot-token',
  token_type: 'bot',

  // user token
  authed_user: {
    id: 'user-id',
    scope: 'scope1,scope2',
    access_token: 'user-token',
    token_type: 'user'
  },

  // misc
  team: {
    id: 'team-id',
    name: 'team-name'
  },
  enterprise: null,
  is_enterprise_install: false,
}

In order to align with Passport's goal to authenticate a User, this token response needs to be reworked to life the user token & nest the bot token.

Example reformatted token response

{
  ok: true,
  app_id: 'app-id',

  // user token
  id: 'user-id',
  scope: 'scope1,scope2',
  access_token: 'user-token',
  token_type: 'user'

  // bot token
  authed_bot: {
    bot_user_id: 'bot-user-id',
    scope: 'scope1,scope2',
    access_token: 'bot-token',
    token_type: 'bot',
  }

  // misc
  team: {
    id: 'team-id',
    name: 'team-name'
  },
  enterprise: null,
  is_enterprise_install: false,
}

[jonstorer]

@nmaves & @HazemSayad could you both take a look at #13 AND jaredhanson/passport-oauth2#174 ?