fix(slack): stop requesting unapproved OAuth scopes that break connect#5631
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryLow Risk Overview The Slack service scope list in Trade-off: Features that depended on those scopes (e.g. assistant thread APIs, app mentions, DM history reads, pins) will not work until users reconnect with those scopes after approval—not changed elsewhere in this diff. Reviewed by Cursor Bugbot for commit c7cc303. Bugbot is set up for automated code reviews on this repo. Configure here. |
Greptile SummaryThis PR narrows the Slack OAuth scope request so the official app can connect again. The main changes are:
Confidence Score: 4/5New Slack connections can still reach operations that require scopes no longer granted by OAuth.
apps/sim/lib/oauth/oauth.ts Important Files Changed
Reviews (1): Last reviewed commit: "fix(slack): stop requesting unapproved O..." | Re-trigger Greptile |
| // TODO: Re-add once Slack app review approves these. Requesting a scope | ||
| // the app is not yet approved for makes Slack reject the entire | ||
| // authorization with "unapproved permissions requested", breaking connect. | ||
| // 'assistant:write', |
There was a problem hiding this comment.
Assistant Tokens Lose Required Scope
When a user connects Slack after this change, the issued token no longer includes assistant:write, but the Slack block still exposes set_status, set_title, and set_suggested_prompts. Those operations call Slack assistant.threads.* APIs, so newly connected workflows can pass OAuth and then fail at runtime with missing_scope.
There was a problem hiding this comment.
This is correct, our native slack app doesn't have permissions.
| // authorization with "unapproved permissions requested", breaking connect. | ||
| // 'assistant:write', | ||
| // 'app_mentions:read', | ||
| // 'im:history', |
There was a problem hiding this comment.
New Slack connections no longer request im:history, while the Slack history and thread tools still accept DM channel IDs and call conversations.history or conversations.replies. Workflows that read DM history or DM thread replies can now connect successfully but fail during execution with Slack's missing_scope response.
There was a problem hiding this comment.
This is correct, our current oauth app does not have permissions.
Summary
Unapproved permissions requested: assistant:write, app_mentions:read, im:history, pins:read. Slack rejects the entire authorization when it requests a scope the app isn't yet approved for.users:read.emailTODO). Core scopes —chat:write,im:write, channel/group ops, files, reactions, canvases — stay, so connect + send-message/DM work again. The four gated scopes get re-added once Slack app review approves them.Type of Change
Testing
Tested manually; biome clean. Data-only change to the requested OAuth scope list.
Checklist