Node-slack-sdk: oauth_authorization_url_mismatch on oauth.v2.access when url includes team parameter

Created on 15 May 2020  路  9Comments  路  Source: slackapi/node-slack-sdk

Description

Describe your issue here.

`https://slack.com/oauth/v2/authorize?user_scope=${userScopes}&client_id=${clientId}&redirect_uri=${redirectURI}&team=${workspaceId}&state=${state}`

as documented here: https://api.slack.com/docs/sign-in-with-slack#button_setup
will instantly redirect me to my given redirect_uri (without any further user interaction), with a code and no error in the query parameters
when then calling

await new WebClient().oauth.v2.access({
      client_id: process.env.SLACK_CLIENT_ID,
      client_secret: process.env.SLACK_CLIENT_SECRET,
      code,
      redirect_uri: `${process.env.API_URL}/sign-in-with-slack`,
    })

it will throw the 'oauth_authorization_url_mismatch' error, which by documentation (https://api.slack.com/methods/oauth.v2.access) should only occur when not using the v2 of the oauth flow

but when i omit the team paramater and build the url like this

`https://slack.com/oauth/v2/authorize?user_scope=${userScopes}&client_id=${clientId}&redirect_uri=${redirectURI}&state=${state}`

the flow works just like expected: i am asked to allow the requested permissions, then redirected to my redirect_uri and the sdk oauth.v2.access call returns a valid response

What type of issue is this? (place an x in one of the [ ])

  • [x] bug
  • [ ] enhancement (feature request)
  • [ ] question
  • [x] documentation related
  • [ ] testing related
  • [ ] discussion

Requirements (place an x in each of the [ ])

  • [x] I've read and understood the Contributing guidelines and have done my best effort to follow them.
  • [x] I've read and agree to the Code of Conduct.
  • [x] I've searched for any related issues and avoided creating a duplicate issue.

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Packages:

Select all that apply:

  • [x] @slack/web-api
  • [ ] @slack/events-api
  • [ ] @slack/interactive-messages
  • [ ] @slack/rtm-api
  • [ ] @slack/webhooks
  • [ ] @slack/oauth
  • [ ] I don't know

Reproducible in:

package version: 5.8.1

node version: 12.16.3

OS version(s): Windows 10/0/18363/0

Steps to reproduce:

  1. include team parameter in your oauth authoizre initializer url
  2. get redirected to your redirect_uri
  3. try to call the oauth.v2.access function on the web client

Expected result:

a successfull oauth.v2.access call and a valid oauth signin result

Actual result:

oauth_authorization_url_mismatch error

Attachments:

Logs, screenshots, screencast, sample project, funny gif, etc.

question

Most helpful comment

Thanks for the detailed summary @oakgary!

I'm going to attempt to reproduce this and chat with the team that manages the apis about it. I'll report back

All 9 comments

Hey @oakgary,

I believe if you add team to your original add to slack url, you must also pass it when calling oauth.v2.access.

await new WebClient().oauth.v2.access({
      client_id: process.env.SLACK_CLIENT_ID,
      client_secret: process.env.SLACK_CLIENT_SECRET,
      code,
      redirect_uri: `${process.env.API_URL}/sign-in-with-slack`,
      team: `TEAM_YOU_ORIGINALLY_PASSED`
    })

Let me know if that fixes this problem for you.

P.S. Have you seen that we released a new node OAuth library to make this stuff much simpler? Would love for you to check it out and share any feedback if you have some time! https://slack.dev/node-slack-sdk/oauth

I believe if you add team to your original add to slack url, you must also pass it when calling oauth.v2.access.

That does not seem to be the case. At least it is not fixing the error.
It is also not documented like that here: https://api.slack.com/methods/oauth.v2.access or here: https://github.com/slackapi/node-slack-sdk/blob/master/packages/web-api/src/methods.ts#L690

'oauth_authorization_url_mismatch' seems to be a catch all for uncaught errors in slacks oauth backend code

the following could be unrelated to the issue described above

using a non app admin workspace in my normal browser where i am also logged into the apps admin workspace and opening the sign in url:

  • if app is public/distributed then everything works as expected
  • if app is not public/distributed then the 'oauth_authorization_url_mismatch' error is thrown when calling the v2.access method; you would expect the 'invalid_team_for_non_distributed_app' error to be either shown in the frontend or thrown in the backend

note: using the team parameter, the v2.access() method is still, after making the app public, throwing the 'oauth_authorization_url_mismatch' error

Thanks for the detailed summary @oakgary!

I'm going to attempt to reproduce this and chat with the team that manages the apis about it. I'll report back

when using v1 of the auth APIs, the team param worked as expected. when i switched to v2, i started seeing the same issue.

and it doesn't look like team is a valid/expected param for oauth.v2.access.

i contacted slack support and they said that this is a known issue on their end that is being worked on. so not an issue with the implementation of this package

from slack support:

Hi there,

This is something our team is aware of and is currently investigating. I'd recommend omitting the team parameter for now, but I've linked this ticket to our bug tracker and I'll let you know once we have more info.

Kindly,

Did you ever get a resolution on this? I am seeing a really similar issue.

I am using the webclient, and basically everything works fine for me with the auth except for one case. If the user switches the team in the top right corner on the slack hosted auth page, then the authorization fails with this same error oauth_authorization_url_mismatch. I don't have any way to prevent that so I'm not sure what to do.

Has nobody run into this? Are there any examples of working slack apps using v2 auth that let you switch the team using the team selector and still log in succesfully?

@gshenar i switched my focus away from this as there hasnt been a fix in weeks
feel free to report your specific case here https://slack.com/help/requests/new
this will hopefully increase slacks prio on this

i did success auth with private workspace: just added team_id

async actionGetUserBySlackCode({ code }) {
        const { client_id, client_secret } = this.config.slack

        const team_id = "T<YOUR_TEAM_ID>"

        const url = `https://slack.com/api/oauth.v2.access?client_id=${client_id}&client_secret=${client_secret}&code=${code}&team_id=${team_id }`

        const resp = await httpRequest.get(url)

        return JSON.parse(resp.text)
    }
Was this page helpful?
0 / 5 - 0 ratings