feat: Add OAuth 2.0 multi-user support#124
feat: Add OAuth 2.0 multi-user support#124wentaoyang-moloco wants to merge 6 commits intokorotovsky:masterfrom
Conversation
Add OAuth 2.0 authentication flow for multi-user support with the following features: Core OAuth Implementation: - OAuth 2.0 authorization flow with Slack API - CSRF protection via state parameter validation - In-memory token storage with automatic cleanup - Per-request Slack client creation for token isolation - Support for both user tokens (xoxp) and bot tokens (xoxb) Dual-Mode Architecture: - Legacy mode: Single-user with browser tokens (xoxc/xoxd/xoxp) - OAuth mode: Multi-user with OAuth tokens - Backward compatible with existing configurations OAuth Handlers: - /oauth/authorize endpoint for initiating OAuth flow - /oauth/callback endpoint for processing OAuth callbacks - OAuth middleware for token validation and user context injection Multi-User Features: - Per-user token isolation and validation - User context propagation through request chain - Separate user and bot token support - Option to post as bot or user via post_as_bot parameter Security Enhancements: - Secure state generation using crypto/rand - Token validation on each request - HTTPS requirement for OAuth callbacks (Slack requirement) - Security headers on OAuth endpoints - Credentials removed from example files Documentation: - Comprehensive OAuth setup guide (docs/04-oauth-setup.md) - ngrok setup instructions for local development - OAuth configuration examples - Architecture and troubleshooting sections Developer Tools: - OAuth testing script (scripts/test-oauth.sh) - OAuth server startup script (start-oauth-server.sh) - Example configuration file (oauth.env.example) Modified Components: - main.go: Added OAuth mode detection and initialization - channels.go: OAuth support with per-request client - conversations.go: OAuth support with user/bot token selection - server.go: OAuth-enabled SSE and HTTP server methods - sse_auth.go: Exported WithAuthKey for OAuth middleware - .gitignore: Added oauth.env and binary exclusions New Components: - pkg/oauth/: OAuth manager, storage, and types - pkg/server/auth/: OAuth middleware and user context - pkg/server/oauth_handler.go: OAuth HTTP handlers Breaking Changes: None (fully backward compatible) Environment Variables: - SLACK_MCP_OAUTH_ENABLED: Enable OAuth mode - SLACK_MCP_OAUTH_CLIENT_ID: Slack app client ID - SLACK_MCP_OAUTH_CLIENT_SECRET: Slack app client secret - SLACK_MCP_OAUTH_REDIRECT_URI: OAuth callback URL (requires HTTPS)
Skip TestIntegrationConversations as it requires: - External Slack workspace with #testcase-1 channel and test data - SLACK_MCP_OPENAI_API environment variable - ngrok forwarding setup This test is from the upstream repo and requires infrastructure not available in CI. Test can be re-enabled when proper test infrastructure is set up.
Remove ability to post as bot for security and clarity: - Removed post_as_bot parameter from conversations handler - Removed bot scopes from OAuth authorization request - Simplified OAuth callback response (no bot token) - Updated documentation to reflect user-only posting Users will now always appear as themselves when posting messages, never as the app bot. This provides better transparency and prevents impersonation concerns.
|
Thanks for working on this. Curious if the maintainers plan in pushing this forwards? Thanks. |
|
I'd be happy to prioritize this if someone could pick this up |
Add comprehensive OAuth quick-start section to README: - Step-by-step OAuth setup instructions - Comparison with legacy mode (when to use each) - OAuth environment variables added to reference table - Clear benefits and use cases for OAuth vs legacy - MCP client configuration examples Makes it easier for users to understand and choose between OAuth mode (multi-user, production) and legacy mode (single-user, testing).
Merged latest changes from upstream korotovsky/slack-mcp-server: - Bot token (xoxb) support from upstream - Dependency updates and bug fixes - Tool annotations for better LLM understanding - Default cache directory improvements Conflicts resolved: - README.md: Merged OAuth variables with bot token support - Both OAuth and bot token authentication methods now documented Changes from upstream: - xoxb bot token support - Updated dependencies (slack-go v0.17.3) - Cache file location improvements - Various bug fixes and features
|
@mrfelton @korotovsky this branch is in our internal fork. People have tested and deployed it so it should be working, I am fine if you guys want to merge and use it, but I am hesitant to be the maintainer in the public repo, so you guys need to take over it. |
|
Hi @wentaoyang-moloco, this is amazing work, thank you. Due to the size of the PR it must be carefully checked, there might be a couple of more comments what we must improve to make it part of this repo. I'll get back later during the weekend since I'm quite busy with #150 |
|
Pretty exciting work. I've brought the changes into my fork, and tested them. It works as intended. One thing I noticed is that when using oauth user tokens, the channel/user caching doesn't work as intended. Basically, raw user/channel IDs are returned rather than looking up their readable names. |
|
Introduced PR here to fix all the bugs I found in this oauth implementation. |
|
Hi @aron-muon, I merged GovSlack to master, could you cherry-pick changes from this PR into a separate PR + add your own fixes and we give it a go? Then later I will close this PR. |
|
Closed in favor of #166 |
4 participants
Add OAuth 2.0 authentication flow for multi-user support with the following features:
Core OAuth Implementation:
Dual-Mode Architecture:
OAuth Handlers:
Multi-User Features:
Security Enhancements:
Documentation:
Developer Tools:
Modified Components:
New Components:
Breaking Changes: None (fully backward compatible)
Environment Variables: