1. 技术文章
  2. “Sign in with Slack” keeps prompting user for permission every time

“Sign in with Slack” keeps prompting user for permission every time

久未见 提交于 2019-12-12 11:25:15

问题


I'm doing the Slack integration for my website, including allowing users to log in using the "Sign in with Slack" button. Ideally I would expect it only asks users to grant the identity.* permissions once, then next times when they click "Sign in with Slack", the authorization screen should only flashes then redirect to the next step (like with Facebook for example), but it keeps showing the authorization screen and users have to click the "Continue" button to grant the permission again and again. This is inconvenient for our users. Is there any way to make it prompting only once like Facebook? FYI my app is not publicly distributed to App Directory yet, could it be the reason?


回答1:


No, it has nothing to do with being in the public App directory.

Slack Sign-in does not cache user logins like other OAuth providers doe, so if you want to avoid that users have to sign-in every time you have to cache user permissions in your app. e.g. by using cookies.

Here is how it works in principle:

  1. After a user signed in successfully, store the information about that successful login in the cookie for that client.
  2. When a client opens you web page again, check the cookie of that client for information about a successful login.
  3. When you find the information show the user belonging to that client as logged-in (instead of showing the Slack Sign-in button).
  4. Show an option for logged-in users to log out (optional)

What information you store about the user depends on what you application needs. If you just want proof about a successful login it should be enough to store the team_id and user_id. But you will also receive a new access_token for that user (not the same as the access_token for your app) as result from a successful login. (see below for a full example of what you receive from Slack)

Please keep in mind that cookies are stored locally on the client and can be viewed the user. So depending on your security needs it would be advisable not store any user related information (especially not the access_token) in the cookie directly. Instead store an ID that links to that data stored on the server by your app. (there are other approaches to this problem. but that is a different discussion)

Here is an example of what your receive from Slack after a successful login:

{
    "ok": true,
    "access_token": "XXXX",
    "scope": "identity.basic",
    "user": 
    {
        "id": "U12345678",
        "name": "Donald Dummy"
    }
    "team": 
    {
        "id": "T12345678"
    }
}


来源:https://stackoverflow.com/questions/46094760/sign-in-with-slack-keeps-prompting-user-for-permission-every-time

标签
single-sign-on
slack
slack-api
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!