Skip to content

fix(slack): stop requesting unapproved OAuth scopes that break connect#5631

Merged
TheodoreSpeaks merged 1 commit into
stagingfrom
fix/slack-oauth-unapproved-scopes
Jul 13, 2026
Merged

fix(slack): stop requesting unapproved OAuth scopes that break connect#5631
TheodoreSpeaks merged 1 commit into
stagingfrom
fix/slack-oauth-unapproved-scopes

Conversation

@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator

Summary

  • Connecting/reconnecting the sim bot (official Sim Slack app) fails with Unapproved permissions requested: assistant:write, app_mentions:read, im:history, pins:read. Slack rejects the entire authorization when it requests a scope the app isn't yet approved for.
  • feat(slack): reusable custom bot credentials, slack_v2 block (preview), redesigned trigger #5323 added those four scopes to the requested set, but the official Slack app hasn't been approved for them — so every native Slack connect regressed.
  • Commented them out (same pattern as the existing users:read.email TODO). Core scopes — chat:write, im:write, channel/group ops, files, reactions, canvases — stay, so connect + send-message/DM work again. The four gated scopes get re-added once Slack app review approves them.

Type of Change

  • Bug fix (regression)

Testing

Tested manually; biome clean. Data-only change to the requested OAuth scope list.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jul 13, 2026 5:23pm

Request Review

@cursor

cursor Bot commented Jul 13, 2026

Copy link
Copy Markdown

PR Summary

Low Risk
Single config change to the Slack OAuth scope array; no auth logic changes, but temporarily reduces granted permissions for some Slack features until scopes are re-added.

Overview
Fixes a regression where native Slack OAuth connect/reconnect fails because Slack rejects the whole authorization when any requested scope is not yet approved on the official Sim app.

The Slack service scope list in oauth.ts removes four scopes from the active request set by commenting them out: assistant:write, app_mentions:read, im:history, and pins:read. Each is left with a TODO to re-enable after Slack app review, matching the existing pattern for users:read.email. Approved scopes stay unchanged (messaging, channels/groups, DMs, files, reactions, canvases), so connect and core Slack workflows work again.

Trade-off: Features that depended on those scopes (e.g. assistant thread APIs, app mentions, DM history reads, pins) will not work until users reconnect with those scopes after approval—not changed elsewhere in this diff.

Reviewed by Cursor Bugbot for commit c7cc303. Bugbot is set up for automated code reviews on this repo. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR narrows the Slack OAuth scope request so the official app can connect again. The main changes are:

  • Commented out unapproved Slack assistant and event scopes.
  • Left the core chat, channel, file, canvas, and reaction scopes in place.
  • Added TODO comments for re-adding the gated scopes after Slack app review.

Confidence Score: 4/5

New Slack connections can still reach operations that require scopes no longer granted by OAuth.

  • OAuth connect should recover for the official Slack app.
  • Assistant Slack operations can fail after connect because new tokens lack assistant:write.
  • DM history and DM thread reads can fail after connect because new tokens lack im:history.

apps/sim/lib/oauth/oauth.ts

Important Files Changed

Filename Overview
apps/sim/lib/oauth/oauth.ts The Slack OAuth scope list now omits unapproved scopes, which restores connect but leaves some exposed Slack operations without the scopes they require on new tokens.

Reviews (1): Last reviewed commit: "fix(slack): stop requesting unapproved O..." | Re-trigger Greptile

// TODO: Re-add once Slack app review approves these. Requesting a scope
// the app is not yet approved for makes Slack reject the entire
// authorization with "unapproved permissions requested", breaking connect.
// 'assistant:write',

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Assistant Tokens Lose Required Scope

When a user connects Slack after this change, the issued token no longer includes assistant:write, but the Slack block still exposes set_status, set_title, and set_suggested_prompts. Those operations call Slack assistant.threads.* APIs, so newly connected workflows can pass OAuth and then fail at runtime with missing_scope.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is correct, our native slack app doesn't have permissions.

// authorization with "unapproved permissions requested", breaking connect.
// 'assistant:write',
// 'app_mentions:read',
// 'im:history',

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 DM History Tokens Lose Scope

New Slack connections no longer request im:history, while the Slack history and thread tools still accept DM channel IDs and call conversations.history or conversations.replies. Workflows that read DM history or DM thread replies can now connect successfully but fail during execution with Slack's missing_scope response.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is correct, our current oauth app does not have permissions.

@TheodoreSpeaks TheodoreSpeaks merged commit f9cc73f into staging Jul 13, 2026
18 checks passed
@TheodoreSpeaks TheodoreSpeaks deleted the fix/slack-oauth-unapproved-scopes branch July 13, 2026 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant