Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oauth2.0 Token rotation doubts + How to handle token rotation in a distributed java server #1423

Open
chandrasekhar1996 opened this issue Jan 21, 2025 · 2 comments
Open

Oauth2.0 Token rotation doubts + How to handle token rotation in a distributed java server #1423

chandrasekhar1996 opened this issue Jan 21, 2025 · 2 comments
Labels
discussion question M-T: User needs support to use the project

Comments

@chandrasekhar1996
Copy link

Hey team,
I want to integrate Slack BOLT SDK in my distributed java application to be able to send messages to users. The app/bot won't be handling any incoming requests at this point. This app will only be installed in 1 workspace but with token rotation enabled for security purpose.

How does bolt SDK handle token rotation? will the token expiration be checked only when a postMessage is called and then the token is refreshed? There maybe cases in my application when a message may not be sent for days, with the 12 hour expiry of access token will this be an issue and is it possible to configure the slack app to rotate the token every X hours?

In my distributed java app, will token rotation with default amazon S3 implementation be handled without any concurrency issues?
@chandrasekhar1996
Copy link
Author

I would also like to get any recommendation if I should stick to Bolt SDK in my use case? I am primarily starting from Bolt SDK because even though current use case is to only send messages and not receive any input, in the future the App maybe expanded with this functionality + want token rotation to be handled

@vegeris
Copy link

vegeris commented Jan 21, 2025
edited
Loading

Hi there,

That's right; if enabled via app settings, the Bolt SDK will handle token rotation for you. The full details can be found in the source code for the middleware here: MultiTeamsAuthorization (from the release notes). I believe when a request is made, the checks will happen in the middleware to validate the token, at which point it may be rotated.

The refresh token is a long-lived token and never expires, whereas the access token expires after 12 hours. When you use the refresh token you get a new auth token and a new refresh token. The refresh token that was just used will remain valid for 5 minutes and then expire.

General documentation and instructions for implementing your own token rotation solution outside of Bolt if you want to customize it: https://api.slack.com/authentication/rotation

@vegeris vegeris added discussion question M-T: User needs support to use the project and removed untriaged labels Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion question M-T: User needs support to use the project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chandrasekhar1996 @vegeris