Token rotation in Bolt - What needs to be done?

[RomainCscn]

Description

Hello! For now, I'm using @slack/oauth to handle my OAuth installation (because the callback to persist data is unavailable in bolt see #1211).

I'm planning to migrate my installation workflow over to @slack/bolt soon (as soon as v3.11 is released) and will take the opportunity to use token rotation.

In the documentation, it is said that:

Bolt for JavaScript supports and will handle token rotation automatically so long as the built-in OAuth functionality is used.

Does this mean that there is nothing to be done to handle token rotation? If I use OAuth with bolt with the various methods (storeInstallation, fetchInstallation), the token will be updated automatically?

Does this use events? I think I'm missing something here.

Furthermore, I can't find any documentation on token rotation for @slack/oauth, is it not handled by this package?

Thanks in advance!

What type of issue is this? (place an x in one of the [ ])

• bug
• enhancement (feature request)
• question
• documentation related
• example code related
• testing related
• discussion

Requirements (place an x in each of the [ ])

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

[seratch]

Hi @RomainCscn, thanks for asking the question!

Does this mean that there is nothing to be done to handle token rotation? If I use OAuth with bolt with the various methods (storeInstallation, fetchInstallation), the token will be updated automatically?

Yes for rotating the tokens when handling requests from Slack API server. When your app receives a request from Slack and the associated tokens in database are expiring or already expired, bolt-js (and its underlying InstallProvider) automatically refreshes the tokens under the hood.

Furthermore, I can't find any documentation on token rotation for @slack/oauth, is it not handled by this package?

Indeed, the document should have some information, but perhaps, checking the code won't take so much time. Here is the lines of code that actually does the rotation for you:
https://github.com/slackapi/node-slack-sdk/blob/%40slack/oauth%402.5.0/packages/oauth/src/install-provider.ts#L211-L274 This authorize method is executed every time your bolt-js app receives an incoming request from Slack.

In addition to migrating your app code to bolt-js, you may need to migrate the existing tokens in your database (if exists). Specifically, the existing tokens without corresponding refresh tokens need to be converted by performing oauth.v2.exchange API method. Refer to https://api.slack.com/authentication/rotation#migration for more details. Also, this data migration needs to be done offline (=running a migration script outside bolt-js web app) as early as possible once you enable the token rotation for the existing app.

Is everything clear now?

[RomainCscn]

Thanks for your reply @seratch. Crystal clear now! 👍

I'm just wondering, I'm my case, how this would be handled:

• I have a project where I store installations (and link them to internal data) and where the token are encrypted,
  • This project uses @slack/oauth to handle the OAuth workflow and @slack/bolt to receive events from Slack (like app_uninstalled)
• I have another project (responsible for sending messages to various platforms), and I retrieve tokens from the first project in order to send the message (using slack/@bolt to use the app.client.chat.postMessage method)

If I enable token rotation, as I'm using the token in a project different than the one where installations are stored, how what you describe above could work?

[seratch]

using slack/@bolt to use the app.client.chat.postMessage method

If the chat.postMessage call is not performed in response to a Slack event (probably, yes), your app needs to do the rotation (=calling authorize function) on its own to safely retrieve a valid token.

Here is a simple example code:

const { InstallProvider } = require('@slack/oauth');
const installer = new InstallProvider({
  clientId: process.env.SLACK_CLIENT_ID,
  clientSecret: process.env.SLACK_CLIENT_SECRET,
  stateSecret: 'my-state-secret' // this does not matter for this use case, though
});
  
async function rotateTokenBeforeUsing(query) {
  return await installer.authorize({
    enterpriseId: query.enterpriseId,
    teamId: query.teamId,
    // if you have user tokens, this can be done too
    // userId: query.userId,
  });
}

See also:

• Handling token rotation when using setInterval #1199 (comment)
• What is the best way to use a rotating bot token outside bolt listener? #1220

I hope this helps.

[RomainCscn]

Ok I understand. That's exactly what I needed: I can either schedule a cron job to do that or just call authorize before using the token 👌

Thanks a lot @seratch.

Last question, is this possible with slack/@bolt? Once I migrate my installation workflow from @slack/oauth to , slack/@bolt, I'm wondering how I could use this.

[seratch]

@RomainCscn Yes, it is. @slack/bolt internally relies on @slack/oauth. If you would like to directly use @slack/oauth outside your bolt-js app, there is nothing that prevents you from doing so.

[RomainCscn]

@RomainCscn Yes, it is. @slack/bolt internally relies on @slack/oauth. If you would like to directly use @slack/oauth outside your bolt-js app, there is nothing that prevents you from doing so.

Does @slack/bolt exposes a authorize method like the installer that I could use directly?

[seratch]

@RomainCscn Ah, no it doesn't. app.receiver.installer is a private property and we are not planning to change this at least in the short term. I would suggest manually instantiating InstallProvider with the same settings for the usage outside bolt-js app.

[RomainCscn]

Ok, thanks again @seratch.