feat: Add OAuth 2.0 multi-user support #124
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add OAuth 2.0 authentication flow for multi-user support with the following features: Core OAuth Implementation: - OAuth 2.0 authorization flow with Slack API - CSRF protection via state parameter validation - In-memory token storage with automatic cleanup - Per-request Slack client creation for token isolation - Support for both user tokens (xoxp) and bot tokens (xoxb) Dual-Mode Architecture: - Legacy mode: Single-user with browser tokens (xoxc/xoxd/xoxp) - OAuth mode: Multi-user with OAuth tokens - Backward compatible with existing configurations OAuth Handlers: - /oauth/authorize endpoint for initiating OAuth flow - /oauth/callback endpoint for processing OAuth callbacks - OAuth middleware for token validation and user context injection Multi-User Features: - Per-user token isolation and validation - User context propagation through request chain - Separate user and bot token support - Option to post as bot or user via post_as_bot parameter Security Enhancements: - Secure state generation using crypto/rand - Token validation on each request - HTTPS requirement for OAuth callbacks (Slack requirement) - Security headers on OAuth endpoints - Credentials removed from example files Documentation: - Comprehensive OAuth setup guide (docs/04-oauth-setup.md) - ngrok setup instructions for local development - OAuth configuration examples - Architecture and troubleshooting sections Developer Tools: - OAuth testing script (scripts/test-oauth.sh) - OAuth server startup script (start-oauth-server.sh) - Example configuration file (oauth.env.example) Modified Components: - main.go: Added OAuth mode detection and initialization - channels.go: OAuth support with per-request client - conversations.go: OAuth support with user/bot token selection - server.go: OAuth-enabled SSE and HTTP server methods - sse_auth.go: Exported WithAuthKey for OAuth middleware - .gitignore: Added oauth.env and binary exclusions New Components: - pkg/oauth/: OAuth manager, storage, and types - pkg/server/auth/: OAuth middleware and user context - pkg/server/oauth_handler.go: OAuth HTTP handlers Breaking Changes: None (fully backward compatible) Environment Variables: - SLACK_MCP_OAUTH_ENABLED: Enable OAuth mode - SLACK_MCP_OAUTH_CLIENT_ID: Slack app client ID - SLACK_MCP_OAUTH_CLIENT_SECRET: Slack app client secret - SLACK_MCP_OAUTH_REDIRECT_URI: OAuth callback URL (requires HTTPS)
Skip TestIntegrationConversations as it requires: - External Slack workspace with #testcase-1 channel and test data - SLACK_MCP_OPENAI_API environment variable - ngrok forwarding setup This test is from the upstream repo and requires infrastructure not available in CI. Test can be re-enabled when proper test infrastructure is set up.
Remove ability to post as bot for security and clarity: - Removed post_as_bot parameter from conversations handler - Removed bot scopes from OAuth authorization request - Simplified OAuth callback response (no bot token) - Updated documentation to reflect user-only posting Users will now always appear as themselves when posting messages, never as the app bot. This provides better transparency and prevents impersonation concerns.
|
Thanks for working on this. Curious if the maintainers plan in pushing this forwards? Thanks. |
Owner
|
I'd be happy to prioritize this if someone could pick this up |
Add comprehensive OAuth quick-start section to README: - Step-by-step OAuth setup instructions - Comparison with legacy mode (when to use each) - OAuth environment variables added to reference table - Clear benefits and use cases for OAuth vs legacy - MCP client configuration examples Makes it easier for users to understand and choose between OAuth mode (multi-user, production) and legacy mode (single-user, testing).
Merged latest changes from upstream korotovsky/slack-mcp-server: - Bot token (xoxb) support from upstream - Dependency updates and bug fixes - Tool annotations for better LLM understanding - Default cache directory improvements Conflicts resolved: - README.md: Merged OAuth variables with bot token support - Both OAuth and bot token authentication methods now documented Changes from upstream: - xoxb bot token support - Updated dependencies (slack-go v0.17.3) - Cache file location improvements - Various bug fixes and features
Author
|
@mrfelton @korotovsky this branch is in our internal fork. People have tested and deployed it so it should be working, I am fine if you guys want to merge and use it, but I am hesitant to be the maintainer in the public repo, so you guys need to take over it. |
Owner
|
Hi @wentaoyang-moloco, this is amazing work, thank you. Due to the size of the PR it must be carefully checked, there might be a couple of more comments what we must improve to make it part of this repo. I'll get back later during the weekend since I'm quite busy with #150 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add OAuth 2.0 authentication flow for multi-user support with the following features:
Core OAuth Implementation:
Dual-Mode Architecture:
OAuth Handlers:
Multi-User Features:
Security Enhancements:
Documentation:
Developer Tools:
Modified Components:
New Components:
Breaking Changes: None (fully backward compatible)
Environment Variables: