missing scope rtm:stream

[sjaakiejj]

I've built a simple slack view inside another application, with the following authentication flow:

1. User logs into the app via Slack's OAuth protocol
2. The OAuth information is received by the server, and used to generate a user token via the client id and secret protocol
3. The token is then sent back to the front-end and used to perform Slack API calls.

This works fine for everything, with the exception of the RTM Websocket protocol. When I perform an api call to rtm.start, I get the following error:
{
error: "missing_scope",
needed: "rtm:stream",
ok: false,
provided: "identify,channels:history,im:history,channels:read,im:read,users:read,chat:write:user,chat:write:bot,im:write"
}

Adding rtm:stream to the scope however results in an error upon login: "unrecognized scope: rtm:stream". I'm not sure how to proceed, and it seems odd to receive an error that indicates a scope is needed that does not exist.

[mccreath]

Hi! We're not able to provide support here. We keep this repository up as a reference.

Would you mind opening a help ticket through either at http://my.slack.com/help/requests/new or at feedback@slack.com?

Thanks very much.

[ernesto-jimenez]

@sjaakiejj

There's two scopes you can use for the rtm API:

• client will allow you to connect as the user and it's aimed at creating Slack clients.
• bot will allow you to get a bot access token which can be used to connect as the bot.

You are not using any of those two scopes, so you don't have access to the RTM API.

[lime-green]

@ernesto-jimenez Could the response message or rtm readme (https://api.slack.com/rtm) be modified to make this more obvious?

[ernesto-jimenez]

@lime-green I don't work at Slack, so you should ask them at feedback@slack.com ;)

[lime-green]

@ernesto-jimenez ah, my apologies, will do! :D

[Traintula]

@lime-green Did they ever get back to you? I have the same problem..

[ernesto-jimenez]

@Traintula if you are getting that error, your token is missing the client or bot scope :)

[Traintula]

@ernesto-jimenez
When I add the "bot" - I get this message:
"OAuth error: invalid_scope: Cannot request service scope (bot) with deprecated scopes"

scope='channels:read,channels:write,channels:history,chat:write:user,chat:write:bot,team:read,users:read,identify,bot,rtm:stream',

[ernesto-jimenez]

remove identify from the list of scopes, since it's an old special scope.

[ernesto-jimenez]

You've got info about OAuth scopes here: https://api.slack.com/docs/oauth-scopes

[Traintula]

@ernesto-jimenez
Removed the identify, still doesn't work - I think this is the reason:

Please note that certain scopes cannot be asked for in combination with each other. For instance, you cannot request both the bot scope and the client scope. When users arrive at an authorization page requesting invalid scope combinations, they'll see an ugly error stating something to this effect:

"OAuth error: invalid_scope: Cannot request service scope (bot) with deprecated scopes"``

[ernesto-jimenez]

@Traintula stick to the list of scopes in the main table on that page + bot, nothing else, and it should be fine :)

[Traintula]

@ernesto-jimenez I would gladly stick to the table, but I need to use "rtm.start" which worked great in the past until I added bot. Fine, I'll try to reach out to them, thanks for help.

[ernesto-jimenez]

@Traintula you can use the bot scope with the scopes in that table and be able to use rm.start.

If you want to use the client scope you must not use the scopes in that table, you can just use read, post, admin and/or identify.

[lime-green]

@Traintula ernesto is correct, bot scope should have access to "rtm.start" (you can see it has access to that method here: https://api.slack.com/bot-users#bot-methods). You should also be able to add all the methods in the table.

On a side note, I have contacted support about updating the API response and the docs to make this more clear. I don't think this has been done yet, however.

[Traintula]

This is my understanding:

1. The old ones: client,read,post,admin and identify.
2. The new ones: everything that's on that table, including bot.
   And they don't mix well in the same call.

@lime-green Using the bot scope will cause Slack to create and new bot and return an additional bot section in the response with the bot's token.
Using the bot's token, that I get in the response, I can indeed use "rtm.start", but using the user's token, the one that actually logged in, I can't call "rtm.start".

@ernesto-jimenez
I could not find a new scope from the table that will grant my user with access to perform rtm.start.

Anyway,
I worked around the issue using two different oauth calls - one for the user using the client scope and another one to create the bot. sort of annoying because it requires two different authorizations.

Thanks for all the help.

[Traintula]

Extra validation - just got this message when I tried to upgrade the existing user tokens from the "My Apps" screen in Slack:

Oops, sorry!
Looks like your app uses the rtm.start method. We don’t have a new OAuth scope for that yet, and we recommend that you not migrate your app until we do. We’ll let you know when that’s available. If you have any questions, please let us know. Sorry for the interruption!

[Matthew-Jannace-Bose]

I am trying to build a slack user client use rtm. Has this issue been resolved by Slack or is it still an issue as I am running into the missing scope issue?

[ernesto-jimenez]

@Matthew-Jannace there's no issue, you just need to use the old scopes (client, read and post) instead of the new granular ones :)

[Traintula]

@Matthew-Jannace This problem we were talking about only occurs when you mix the old and new scopes in the same oauth call.
@ernesto-jimenez's advice is the way to go. Use the old scopes for rtm.

[JSpiner]

Hi there.
I met same problem and I fixed it.

I requested to slack oauth api like this
https://slack.com/oauth/authorize?client_id=&scope=commands+client

but client scope is deprecated.... and can't use it with commands scope.

So, I changed my scope like this

https://slack.com/oauth/authorize?client_id=&scope=commands+bot

when you auth slack's OAuth API, it return not only access_token but also bot_access_token.

You can access RTM API using bot_access_token and you can access WEB API using access_token.

[xanscale]

in by case only works if i use legacy token

[blaskovicz]

If anyone else runs into this issue, I wrote some docs on generating an access_tokens with the correct scope. In short, bypass the Slack UI for app creation and request special scopes via https://slack.com/oauth/authorize, specifically client (I needed admin as well).

Hope this helps someone!

[dove-young]

I've using StackStorm-slack https://github.com/StackStorm-Exchange/stackstorm-slack which using rtm-connect to talk to Slack. I met the same problem that missing scope rtm:stream for my bot user token.

I created a classic app, and I gave it bot scope. But when I connect my bot to slack, I got error message like this.

2020-08-05 13:47:35,239 140429561265648 DEBUG connectionpool [-] https://slack.com:443 "POST /api/rtm.start HTTP/1.1" 200 156
2020-08-05 13:47:35,242 140429561265648 ERROR server [-] {'ok': False, 'error': 'missing_scope', 'needed': 'rtm:stream', 'provided': 'identify,bot,incoming-webhook,channels:history,im:history,mpim:history,channels:read,im:read,mpim:read,channels:write,chat:write:user,chat:write:bot,im:write,mpim:write,links:write'}

I went back to check my OAuth Tokens & Redirect URLs page, under bot scope there is a note says

This scope is deprecated. Please update scopes to use granular permissions.

I click into the update scopes link, and there is no any scope like rtm:stream over there.

[dove-young]

Cool! I figured out. I should using bot user token instead of OAuth access token here. And these is working only if I am using a classic app here.

If it is a new app, then using bot user token would fail at token type mistaken error.