Skip to content

Add Support for Token Rotation#1287

Merged
misscoded merged 11 commits intomainfrom
feat-token-rotation
Jul 15, 2021
Merged

Add Support for Token Rotation#1287
misscoded merged 11 commits intomainfrom
feat-token-rotation

Conversation

@misscoded
Copy link
Copy Markdown
Contributor

@misscoded misscoded commented Jul 14, 2021

Fixes #1241

Developers will soon have the ability to opt their apps into advanced token security via token rotation. We should introduce logic to incorporate these new tokens, as well as refresh behavior.

HOW IT WORKS

On OAuth installation (the only installation flow allowed when token rotation is enabled), new access tokens are stored as they have been, but now include an accompanying refresh_token and expires_in. The refresh_token (does not expire) is used to "trade-in" for a new access_token and refresh_token pair.

For each token (bot|user), we use the expires_in value to calculate and store a corresponding future expiry timestamp (UTC, seconds).

Each time an event is received, authorize gets run. Here we determine if token rotation is enabled. If so, we check the expiry of the token(s) and refresh those that have expired or will expire within 2 hours. We then update the returned authResult and the Installation.

NOTABLE CHANGES

  1. AuthorizationResult has four new keys: botRefreshToken, botTokenExpiresAt, userRefreshToken, and userTokenExpiresAt. This was to handle apps that have both User and Bot tokens while still keeping the shape flat.

  2. Installation has four new keys: a refreshToken and expiresAt for both the user and bot objects.

Requirements (place an x in each [ ])

@misscoded misscoded added enhancement M-T: A feature request for new functionality pkg:web-api applies to `@slack/web-api` pkg:oauth applies to `@slack/oauth` labels Jul 14, 2021
@misscoded misscoded added this to the oauth@2.2 milestone Jul 14, 2021
@misscoded misscoded requested review from seratch and stevengill July 14, 2021 18:55
@misscoded misscoded force-pushed the feat-token-rotation branch from 1bfb6e0 to d62d5ab Compare July 14, 2021 20:50
seratch
seratch approved these changes Jul 15, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@seratch seratch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apart from the type definition re-generation and using the new one for oauth.v2.exchange API method, this pull request should be ready for merging

packages/web-api/src/methods.ts Outdated
access: bindApiCall<OAuthAccessArguments, OauthAccessResponse>(this, 'oauth.access'),
v2: {
access: bindApiCall<OAuthV2AccessArguments, OauthV2AccessResponse>(this, 'oauth.v2.access'),
exchange: bindApiCall<OAuthV2ExchangeArguments, OauthV2AccessResponse>(this, 'oauth.v2.exchange'),
Copy link
Copy Markdown
Contributor

@seratch seratch Jul 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@misscoded Can you run ./scripts/generate-web-api-types.sh? The command generates the response type for this endpoint. Also, it adds a few missing fields in other types.

@misscoded misscoded merged commit 130da70 into main Jul 15, 2021
@WilliamBergamin WilliamBergamin deleted the feat-token-rotation branch May 20, 2025 19:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevengill stevengill Awaiting requested review from stevengill

1 more reviewer

@seratch seratch seratch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement M-T: A feature request for new functionality pkg:oauth applies to `@slack/oauth` pkg:web-api applies to `@slack/web-api`

Projects

None yet

Milestone

oauth@2.2

Development

Successfully merging this pull request may close these issues.

Add Support for Token Rotation

2 participants

@misscoded @seratch