Root causes for getting `access_denied` with no error description in the installation oauth2 flow

[glena]

We are beta testing a new slack app. We are using the slack_bolt adapter

    handler = AsyncSlackRequestHandler(slack_app)

    @app.get("/slack/install")
    async def install(req: Request):
        return await handler.handle(req)

    @app.get("/slack/oauth_redirect")
    async def oauth_redirect(req: Request):
        return await handler.handle(req)

A customer reported the installation failed without any helpful error message and checking our logs we only received an error=access_denied error without a message.

GET /slack/oauth_redirect?error=access_denied&state=545a0fef-8c27-4ec3-a4e5-dd2b2e2bab5b

What could be the root cause of this, would be possible to enrich these errors with some detail to make them actionable?

I tried cancelling an installation an in that case I do receive a proper description /slack/oauth_redirect?error=access_denied&state=a916a09d-f978-4140-bef3-477fd6b39f08&error_description=The+user+has+denied+access+to+the+scope%28s%29+requested+by+the+client+application.

I am assuming the user didnt have appropriate permissions to install the app in their workspace but I am waiting for their confirmation

Reproducible in:

pip freeze | grep slack
python --version
sw_vers && uname -v # or `ver`

The slack_bolt version

slack_bolt-1.27.0

Python runtime version

Python 3.13.9

[srtaalej]

hi there @glena 👋 thank you for the detailed report!

after doing some investigating, it looks like this isn't a bug in bolt-python — the error=access_denied comes directly from Slack's OAuth authorization server. bolt picks it up in handle_callback() and passes it through to the failure handler as-is.

when Slack sends access_denied without an error_description, it typically means the user didn't have the necessary workspace permissions to approve the app installation (e.g., the workspace has app approval restrictions and the user isn't an admin). when the user explicitly cancels the OAuth flow, Slack includes the error_description you saw ("The user has denied access to the scope(s)...").

can you have the customer confirm with their workspace admin whether:

• the workspace requires admin approval for app installations
• the user attempting installation has the necessary permissions

[glena]

Would be possible to escalate to the backend team to provide some contextual information in the cases a description is not available? It is hard to provide the right feedback to the user otherwise.

I asked already that (I suspected it might be the case) but they didnt came back to me yet

[glena]

The customer confirmed it was caused by lack of permissions. They retried and got a proper error message so I suspect it was either a temporary regression or that the team fixed it.

Thank you