Introduce actor enterprise/team/user_id for Slack Connect events (#854)

Author: seratch

slack_bolt/adapter/aws_lambda/lambda_s3_oauth_flow.py

@@ -59,6 +59,7 @@ def __init__(
             client_secret=settings.client_secret,
             installation_store=settings.installation_store,
             bot_only=settings.installation_store_bot_only,
+            user_token_resolution=(settings.user_token_resolution if settings is not None else "authed_user"),
         )
 
         OAuthFlow.__init__(self, client=client, logger=logger, settings=settings)

slack_bolt/app/app.py

@@ -238,6 +238,7 @@ def message_hello(message, say):
                 logger=self._framework_logger,
                 bot_only=installation_store_bot_only,
                 client=self._client,  # for proxy use cases etc.
+                user_token_resolution=(settings.user_token_resolution if settings is not None else "authed_user"),
             )
 
         self._oauth_flow: Optional[OAuthFlow] = None
@@ -379,7 +380,13 @@ def _init_middleware_list(
             else:
                 raise BoltError(error_token_required())
         else:
-            self._middleware_list.append(MultiTeamsAuthorization(authorize=self._authorize, base_logger=self._base_logger))
+            self._middleware_list.append(
+                MultiTeamsAuthorization(
+                    authorize=self._authorize,
+                    base_logger=self._base_logger,
+                    user_token_resolution=self._oauth_flow.settings.user_token_resolution,
+                )
+            )
         if ignoring_self_events_enabled is True:
             self._middleware_list.append(IgnoringSelfEvents(base_logger=self._base_logger))
         if url_verification_enabled is True:

slack_bolt/app/async_app.py

@@ -243,6 +243,7 @@ async def message_hello(message, say):  # async function
                 logger=self._framework_logger,
                 bot_only=installation_store_bot_only,
                 client=self._async_client,  # for proxy use cases etc.
+                user_token_resolution=(settings.user_token_resolution if settings is not None else "authed_user"),
             )
 
         self._async_oauth_flow: Optional[AsyncOAuthFlow] = None
@@ -374,7 +375,11 @@ def _init_async_middleware_list(
                 raise BoltError(error_token_required())
         else:
             self._async_middleware_list.append(
-                AsyncMultiTeamsAuthorization(authorize=self._async_authorize, base_logger=self._base_logger)
+                AsyncMultiTeamsAuthorization(
+                    authorize=self._async_authorize,
+                    base_logger=self._base_logger,
+                    user_token_resolution=self._async_oauth_flow.settings.user_token_resolution,
+                )
             )
 
         if ignoring_self_events_enabled is True:

slack_bolt/authorization/async_authorize.py

@@ -30,6 +30,10 @@ async def __call__(
         enterprise_id: Optional[str],
         team_id: Optional[str],  # can be None for org-wide installed apps
         user_id: Optional[str],
+        # actor_* can be used only when user_token_resolution: "actor" is set
+        actor_enterprise_id: Optional[str] = None,
+        actor_team_id: Optional[str] = None,
+        actor_user_id: Optional[str] = None,
     ) -> Optional[AuthorizeResult]:
         raise NotImplementedError()
 
@@ -51,6 +55,10 @@ async def __call__(
         enterprise_id: Optional[str],
         team_id: Optional[str],  # can be None for org-wide installed apps
         user_id: Optional[str],
+        # actor_* can be used only when user_token_resolution: "actor" is set
+        actor_enterprise_id: Optional[str] = None,
+        actor_team_id: Optional[str] = None,
+        actor_user_id: Optional[str] = None,
     ) -> Optional[AuthorizeResult]:
         try:
             all_available_args = {
@@ -66,6 +74,9 @@ async def __call__(
                 "enterprise_id": enterprise_id,
                 "team_id": team_id,
                 "user_id": user_id,
+                "actor_enterprise_id": actor_enterprise_id,
+                "actor_team_id": actor_team_id,
+                "actor_user_id": actor_user_id,
             }
             for k, v in context.items():
                 if k not in all_available_args:
@@ -103,6 +114,8 @@ class AsyncInstallationStoreAuthorize(AsyncAuthorize):
     """
 
     authorize_result_cache: Dict[str, AuthorizeResult]
+    bot_only: bool
+    user_token_resolution: str
     find_installation_available: Optional[bool]
     find_bot_available: Optional[bool]
     token_rotator: Optional[AsyncTokenRotator]
@@ -122,10 +135,13 @@ def __init__(
         bot_only: bool = False,
         cache_enabled: bool = False,
         client: Optional[AsyncWebClient] = None,
+        # Since v1.27, user token resolution can be actor ID based when the mode is enabled
+        user_token_resolution: str = "authed_user",
     ):
         self.logger = logger
         self.installation_store = installation_store
         self.bot_only = bot_only
+        self.user_token_resolution = user_token_resolution
         self.cache_enabled = cache_enabled
         self.authorize_result_cache = {}
         self.find_installation_available = None
@@ -147,6 +163,10 @@ async def __call__(
         enterprise_id: Optional[str],
         team_id: Optional[str],  # can be None for org-wide installed apps
         user_id: Optional[str],
+        # actor_* can be used only when user_token_resolution: "actor" is set
+        actor_enterprise_id: Optional[str] = None,
+        actor_team_id: Optional[str] = None,
+        actor_user_id: Optional[str] = None,
     ) -> Optional[AuthorizeResult]:
 
         if self.find_installation_available is None:
@@ -194,16 +214,34 @@ async def __call__(
 
                         # try to fetch the request user's installation
                         # to reflect the user's access token if exists
-                        this_user_installation = await self.installation_store.async_find_installation(
-                            enterprise_id=enterprise_id,
-                            team_id=team_id,
-                            user_id=user_id,
-                            is_enterprise_install=context.is_enterprise_install,
-                        )
+                        # try to fetch the request user's installation
+                        # to reflect the user's access token if exists
+                        if self.user_token_resolution == "actor":
+                            if actor_enterprise_id is not None or actor_team_id is not None:
+                                # Note that actor_team_id can be absent for app_mention events
+                                this_user_installation = await self.installation_store.async_find_installation(
+                                    enterprise_id=actor_enterprise_id,
+                                    team_id=actor_team_id,
+                                    user_id=actor_user_id,
+                                    is_enterprise_install=None,
+                                )
+                        else:
+                            this_user_installation = await self.installation_store.async_find_installation(
+                                enterprise_id=enterprise_id,
+                                team_id=team_id,
+                                user_id=user_id,
+                                is_enterprise_install=context.is_enterprise_install,
+                            )
                         if this_user_installation is not None:
                             user_token = this_user_installation.user_token
                             user_scopes = this_user_installation.user_scopes
-                            if latest_bot_installation.bot_token is None:
+                            if (
+                                latest_bot_installation.bot_token is None
+                                # enterprise_id/team_id can be different for Slack Connect channel events
+                                # when enabling user_token_resolution: "actor"
+                                and latest_bot_installation.enterprise_id == this_user_installation.enterprise_id
+                                and latest_bot_installation.team_id == this_user_installation.team_id
+                            ):
                                 # If latest_installation has a bot token, we never overwrite the value
                                 bot_token = this_user_installation.bot_token
                                 bot_scopes = this_user_installation.bot_scopes
@@ -213,7 +251,13 @@ async def __call__(
                             if refreshed is not None:
                                 user_token = refreshed.user_token
                                 user_scopes = refreshed.user_scopes
-                                if latest_bot_installation.bot_token is None:
+                                if (
+                                    latest_bot_installation.bot_token is None
+                                    # enterprise_id/team_id can be different for Slack Connect channel events
+                                    # when enabling user_token_resolution: "actor"
+                                    and latest_bot_installation.enterprise_id == this_user_installation.enterprise_id
+                                    and latest_bot_installation.team_id == this_user_installation.team_id
+                                ):
                                     # If latest_installation has a bot token, we never overwrite the value
                                     bot_token = refreshed.bot_token
                                     bot_scopes = refreshed.bot_scopes

slack_bolt/authorization/authorize.py

@@ -29,6 +29,10 @@ def __call__(
         enterprise_id: Optional[str],
         team_id: Optional[str],  # can be None for org-wide installed apps
         user_id: Optional[str],
+        # actor_* can be used only when user_token_resolution: "actor" is set
+        actor_enterprise_id: Optional[str] = None,
+        actor_team_id: Optional[str] = None,
+        actor_user_id: Optional[str] = None,
     ) -> Optional[AuthorizeResult]:
         raise NotImplementedError()
 
@@ -55,6 +59,10 @@ def __call__(
         enterprise_id: Optional[str],
         team_id: Optional[str],  # can be None for org-wide installed apps
         user_id: Optional[str],
+        # actor_* can be used only when user_token_resolution: "actor" is set
+        actor_enterprise_id: Optional[str] = None,
+        actor_team_id: Optional[str] = None,
+        actor_user_id: Optional[str] = None,
     ) -> Optional[AuthorizeResult]:
         try:
             all_available_args = {
@@ -70,6 +78,9 @@ def __call__(
                 "enterprise_id": enterprise_id,
                 "team_id": team_id,
                 "user_id": user_id,
+                "actor_enterprise_id": actor_enterprise_id,
+                "actor_team_id": actor_team_id,
+                "actor_user_id": actor_user_id,
             }
             for k, v in context.items():
                 if k not in all_available_args:
@@ -108,6 +119,7 @@ class InstallationStoreAuthorize(Authorize):
 
     authorize_result_cache: Dict[str, AuthorizeResult]
     bot_only: bool
+    user_token_resolution: str
     find_installation_available: bool
     find_bot_available: bool
     token_rotator: Optional[TokenRotator]
@@ -127,10 +139,13 @@ def __init__(
         bot_only: bool = False,
         cache_enabled: bool = False,
         client: Optional[WebClient] = None,
+        # Since v1.27, user token resolution can be actor ID based when the mode is enabled
+        user_token_resolution: str = "authed_user",
     ):
         self.logger = logger
         self.installation_store = installation_store
         self.bot_only = bot_only
+        self.user_token_resolution = user_token_resolution
         self.cache_enabled = cache_enabled
         self.authorize_result_cache = {}
         self.find_installation_available = hasattr(installation_store, "find_installation")
@@ -152,6 +167,10 @@ def __call__(
         enterprise_id: Optional[str],
         team_id: Optional[str],  # can be None for org-wide installed apps
         user_id: Optional[str],
+        # actor_* can be used only when user_token_resolution: "actor" is set
+        actor_enterprise_id: Optional[str] = None,
+        actor_team_id: Optional[str] = None,
+        actor_user_id: Optional[str] = None,
     ) -> Optional[AuthorizeResult]:
 
         bot_token: Optional[str] = None
@@ -194,16 +213,32 @@ def __call__(
 
                         # try to fetch the request user's installation
                         # to reflect the user's access token if exists
-                        this_user_installation = self.installation_store.find_installation(
-                            enterprise_id=enterprise_id,
-                            team_id=team_id,
-                            user_id=user_id,
-                            is_enterprise_install=context.is_enterprise_install,
-                        )
+                        if self.user_token_resolution == "actor":
+                            if actor_enterprise_id is not None or actor_team_id is not None:
+                                # Note that actor_team_id can be absent for app_mention events
+                                this_user_installation = self.installation_store.find_installation(
+                                    enterprise_id=actor_enterprise_id,
+                                    team_id=actor_team_id,
+                                    user_id=actor_user_id,
+                                    is_enterprise_install=None,
+                                )
+                        else:
+                            this_user_installation = self.installation_store.find_installation(
+                                enterprise_id=enterprise_id,
+                                team_id=team_id,
+                                user_id=user_id,
+                                is_enterprise_install=context.is_enterprise_install,
+                            )
                         if this_user_installation is not None:
                             user_token = this_user_installation.user_token
                             user_scopes = this_user_installation.user_scopes
-                            if latest_bot_installation.bot_token is None:
+                            if (
+                                latest_bot_installation.bot_token is None
+                                # enterprise_id/team_id can be different for Slack Connect channel events
+                                # when enabling user_token_resolution: "actor"
+                                and latest_bot_installation.enterprise_id == this_user_installation.enterprise_id
+                                and latest_bot_installation.team_id == this_user_installation.team_id
+                            ):
                                 # If latest_installation has a bot token, we never overwrite the value
                                 bot_token = this_user_installation.bot_token
                                 bot_scopes = this_user_installation.bot_scopes
@@ -213,7 +248,13 @@ def __call__(
                             if refreshed is not None:
                                 user_token = refreshed.user_token
                                 user_scopes = refreshed.user_scopes
-                                if latest_bot_installation.bot_token is None:
+                                if (
+                                    latest_bot_installation.bot_token is None
+                                    # enterprise_id/team_id can be different for Slack Connect channel events
+                                    # when enabling user_token_resolution: "actor"
+                                    and latest_bot_installation.enterprise_id == this_user_installation.enterprise_id
+                                    and latest_bot_installation.team_id == this_user_installation.team_id
+                                ):
                                     # If latest_installation has a bot token, we never overwrite the value
                                     bot_token = refreshed.bot_token
                                     bot_scopes = refreshed.bot_scopes

slack_bolt/context/base_context.py

@@ -17,6 +17,9 @@ class BaseContext(dict):
         "is_enterprise_install",
         "team_id",
         "user_id",
+        "actor_enterprise_id",
+        "actor_team_id",
+        "actor_user_id",
         "channel_id",
         "response_url",
         "matches",
@@ -61,6 +64,30 @@ def user_id(self) -> Optional[str]:
         """The user ID associated ith this request."""
         return self.get("user_id")
 
+    @property
+    def actor_enterprise_id(self) -> Optional[str]:
+        """The action's actor's Enterprise Grid organization ID.
+        Note that this property is especially useful for handling events in Slack Connect channels.
+        That being said, it's not guaranteed to have a valid ID for all events due to server-side inconsistency.
+        """
+        return self.get("actor_enterprise_id")
+
+    @property
+    def actor_team_id(self) -> Optional[str]:
+        """The action's actor's workspace ID.
+        Note that this property is especially useful for handling events in Slack Connect channels.
+        That being said, it's not guaranteed to have a valid ID for all events due to server-side inconsistency.
+        """
+        return self.get("actor_team_id")
+
+    @property
+    def actor_user_id(self) -> Optional[str]:
+        """The action's actor's user ID.
+        Note that this property is especially useful for handling events in Slack Connect channels.
+        That being said, it's not guaranteed to have a valid ID for all events due to server-side inconsistency.
+        """
+        return self.get("actor_user_id")
+
     @property
     def channel_id(self) -> Optional[str]:
         """The conversation ID associated with this request."""

slack_bolt/middleware/authorization/async_multi_teams_authorization.py

@@ -14,16 +14,24 @@
 
 class AsyncMultiTeamsAuthorization(AsyncAuthorization):
     authorize: AsyncAuthorize
+    user_token_resolution: str
 
-    def __init__(self, authorize: AsyncAuthorize, base_logger: Optional[Logger] = None):
+    def __init__(
+        self,
+        authorize: AsyncAuthorize,
+        base_logger: Optional[Logger] = None,
+        user_token_resolution: str = "authed_user",
+    ):
         """Multi-workspace authorization.
 
         Args:
             authorize: The function to authorize incoming requests from Slack.
             base_logger: The base logger
+            user_token_resolution: "authed_user" or "actor"
         """
         self.authorize = authorize
         self.logger = get_bolt_logger(AsyncMultiTeamsAuthorization, base_logger=base_logger)
+        self.user_token_resolution = user_token_resolution
 
     async def async_process(
         self,
@@ -49,12 +57,24 @@ async def async_process(
             return await next()
 
         try:
-            auth_result: Optional[AuthorizeResult] = await self.authorize(
-                context=req.context,
-                enterprise_id=req.context.enterprise_id,
-                team_id=req.context.team_id,
-                user_id=req.context.user_id,
-            )
+            auth_result: Optional[AuthorizeResult] = None
+            if self.user_token_resolution == "actor":
+                auth_result = await self.authorize(
+                    context=req.context,
+                    enterprise_id=req.context.enterprise_id,
+                    team_id=req.context.team_id,
+                    user_id=req.context.user_id,
+                    actor_enterprise_id=req.context.actor_enterprise_id,
+                    actor_team_id=req.context.actor_team_id,
+                    actor_user_id=req.context.actor_user_id,
+                )
+            else:
+                auth_result = await self.authorize(
+                    context=req.context,
+                    enterprise_id=req.context.enterprise_id,
+                    team_id=req.context.team_id,
+                    user_id=req.context.user_id,
+                )
             if auth_result:
                 req.context.set_authorize_result(auth_result)
                 token = auth_result.bot_token or auth_result.user_token