omniauth-slack2 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 676e8bca1d301129a743833094fc6104e3aa26717b14123463581085575a78bd
+  data.tar.gz: 9c19ea41a7fbefbd6883aee1c406b403963d4c530fc986fa7bb0c9c19916e241
+SHA512:
+  metadata.gz: b01b0d6b7ba3cf8f74907871dc02f22bf0cea234c5de6866ffbf0677dc24fcb54522e100b1bd32ee3aa45cd4b07773279cd44bfd16fbfbf6fe0e3cb8e9dff4e4
+  data.tar.gz: c8e1d88d45f41172b8deffacb0d771b9825b65b0f1d05d6ef726fd251f747a6dd1a8ce0c7e956f39f3d7fcff0fb149294f2edff96b386769a6e708475dddffcc

data/LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Claudio Poli
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,193 @@
+# OmniAuth Slack Strategy
+
+[![Test](https://github.com/icoretech/omniauth-slack2/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/icoretech/omniauth-slack2/actions/workflows/test.yml?query=branch%3Amain)
+[![Gem Version](https://badge.fury.io/rb/omniauth-slack2.svg)](https://badge.fury.io/rb/omniauth-slack2)
+
+`omniauth-slack2` provides a Slack OpenID Connect strategy for OmniAuth.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-slack2'
+```
+
+Then run:
+
+```bash
+bundle install
+```
+
+## Usage
+
+Configure OmniAuth in your Rack/Rails app:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :slack2,
+           ENV.fetch('SLACK_CLIENT_ID'),
+           ENV.fetch('SLACK_CLIENT_SECRET')
+end
+```
+
+Compatibility alias is available, so you can keep existing callback paths using `slack`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :slack,
+           ENV.fetch('SLACK_CLIENT_ID'),
+           ENV.fetch('SLACK_CLIENT_SECRET')
+end
+```
+
+If you support both names during a migration, register both callback paths in Slack:
+
+- `https://your-app.example.com/auth/slack2/callback`
+- `https://your-app.example.com/auth/slack/callback`
+
+## Provider App Setup
+
+- Slack API Dashboard: <https://api.slack.com/apps>
+- Enable **Sign in with Slack** under OAuth & Permissions
+- Register the callback URL that matches your provider name:
+  - `slack2`: `https://your-app.example.com/auth/slack2/callback`
+  - `slack`: `https://your-app.example.com/auth/slack/callback`
+- If your Slack app enforces PKCE, this strategy sends `code_challenge` / `code_verifier`
+  with `S256` by default
+- Required scopes: `openid`, `email`, `profile`
+
+## Options
+
+Supported request options include:
+
+- `scope` (default: `openid email profile`)
+- `nonce` (auto-generated by default)
+- `team` (pre-select a Slack workspace)
+- `pkce` (default: `true` — sends `code_challenge` / `code_verifier` using `S256`)
+- `skip_jwt` (default: `false` — set to `true` to skip id_token RS256 verification)
+
+## Troubleshooting
+
+- If Slack rejects a local callback while your app is enforcing PKCE, prefer a real
+  HTTPS hostname over `localhost` for interactive testing
+- The same callback/PKCE rules apply to the compat `slack` alias, not just `slack2`
+
+## Auth Hash
+
+Example payload from `request.env['omniauth.auth']` (realistic shape, anonymized):
+
+```json
+{
+  "uid": "U0R7MFMJM",
+  "info": {
+    "name": "Sample User",
+    "email": "sample@example.test",
+    "unverified_email": "sample@example.test",
+    "email_verified": true,
+    "first_name": "Sample",
+    "last_name": "User",
+    "image": "https://secure.gravatar.com/avatar/example.jpg?s=512&d=https%3A%2F%2Fa.slack-edge.com%2Fexample.png",
+    "locale": "en-US"
+  },
+  "credentials": {
+    "token": "xoxp-...",
+    "refresh_token": "xoxe-1-...",
+    "expires_at": 1772691847,
+    "expires": true,
+    "scope": "openid email profile"
+  },
+  "extra": {
+    "raw_info": {
+      "ok": true,
+      "sub": "U0R7MFMJM",
+      "https://slack.com/user_id": "U0R7MFMJM",
+      "https://slack.com/team_id": "T0123ABC456",
+      "email": "sample@example.test",
+      "email_verified": true,
+      "date_email_verified": 1775000482,
+      "name": "Sample User",
+      "picture": "https://secure.gravatar.com/avatar/example.jpg?s=512&d=https%3A%2F%2Fa.slack-edge.com%2Fexample.png",
+      "given_name": "Sample",
+      "family_name": "User",
+      "locale": "en-US",
+      "https://slack.com/team_name": "Sample Workspace",
+      "https://slack.com/team_domain": "sampleworkspace",
+      "https://slack.com/user_image_512": "https://secure.gravatar.com/avatar/example.jpg?s=512&d=https%3A%2F%2Fa.slack-edge.com%2Fexample.png",
+      "https://slack.com/team_image_230": "https://avatars.slack-edge.com/example-team_132.jpg",
+      "https://slack.com/team_image_default": false
+    },
+    "id_token": "eyJhbGciOiJSUzI1NiIs...",
+    "id_info": {
+      "iss": "https://slack.com",
+      "sub": "U0R7MFMJM",
+      "aud": "your-client-id",
+      "exp": 1775009314,
+      "iat": 1775009014,
+      "auth_time": 1775009014,
+      "nonce": "auto-generated-nonce",
+      "https://slack.com/team_id": "T0123ABC456",
+      "https://slack.com/user_id": "U0R7MFMJM",
+      "email": "sample@example.test",
+      "email_verified": true,
+      "date_email_verified": 1775000482,
+      "locale": "en-US",
+      "name": "Sample User",
+      "picture": "https://secure.gravatar.com/avatar/example.jpg?s=512&d=https%3A%2F%2Fa.slack-edge.com%2Fexample.png",
+      "given_name": "Sample",
+      "family_name": "User",
+      "https://slack.com/team_name": "Sample Workspace",
+      "https://slack.com/team_domain": "sampleworkspace",
+      "https://slack.com/team_image_230": "https://avatars.slack-edge.com/example-team_132.jpg",
+      "https://slack.com/team_image_default": false
+    },
+    "team_id": "T0123ABC456",
+    "team_name": "Sample Workspace",
+    "team_domain": "sampleworkspace"
+  }
+}
+```
+
+## Development
+
+```bash
+bundle install
+bundle exec standardrb --fix
+bundle exec rake
+```
+
+Run Rails integration tests with an explicit Rails version:
+
+```bash
+RAILS_VERSION='~> 8.1.0' bundle install
+RAILS_VERSION='~> 8.1.0' bundle exec rake test_rails_integration
+```
+
+## Compatibility
+
+- Ruby: `>= 3.2` (tested on `3.2`, `3.3`, `3.4`, `4.0`)
+- `omniauth-oauth2`: `>= 1.8`, `< 2.0`
+- Rails integration lanes: `~> 7.1.0`, `~> 7.2.0`, `~> 8.0.0`, `~> 8.1.0`
+
+## Endpoints
+
+This gem uses Slack OpenID Connect endpoints:
+
+- `https://slack.com/openid/connect/authorize`
+- `https://slack.com/api/openid.connect.token`
+- `https://slack.com/api/openid.connect.userInfo`
+- `https://slack.com/openid/connect/keys` (JWKS for id_token verification)
+
+## Test Structure
+
+- `test/omniauth_slack2_test.rb`: strategy/unit behavior
+- `test/rails_integration_test.rb`: full Rack/Rails request+callback flow
+- `test/test_helper.rb`: shared test bootstrap
+
+## Release
+
+Tag releases as `vX.Y.Z`; GitHub Actions publishes the gem to RubyGems.
+
+## License
+
+MIT

data/lib/omniauth/slack2/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Slack2
+    VERSION = "1.0.0"
+  end
+end

data/lib/omniauth/slack2.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require "omniauth/slack2/version"
+require "omniauth/strategies/slack2"

data/lib/omniauth/strategies/slack2.rb

@@ -0,0 +1,219 @@
+# frozen_string_literal: true
+
+require "base64"
+require "jwt"
+require "net/http"
+require "omniauth-oauth2"
+require "securerandom"
+require "uri"
+
+module OmniAuth
+  module Strategies
+    # OmniAuth strategy for Slack OpenID Connect.
+    class Slack2 < OmniAuth::Strategies::OAuth2
+      ISSUER = "https://slack.com"
+      JWKS_URL = "https://slack.com/openid/connect/keys"
+      USER_INFO_URL = "https://slack.com/api/openid.connect.userInfo"
+      DEFAULT_SCOPE = "openid email profile"
+
+      option :name, "slack2"
+      option :authorize_options, %i[scope state nonce team]
+      option :scope, DEFAULT_SCOPE
+      option :pkce, true
+      option :skip_jwt, false
+
+      option :client_options,
+        site: ISSUER,
+        authorize_url: "https://slack.com/openid/connect/authorize",
+        token_url: "https://slack.com/api/openid.connect.token",
+        connection_opts: {
+          headers: {
+            user_agent: "icoretech-omniauth-slack2 gem",
+            accept: "application/json",
+            content_type: "application/json"
+          }
+        }
+
+      uid { raw_info["sub"] }
+
+      info do
+        {
+          name: raw_info["name"],
+          email: raw_info["email_verified"] ? raw_info["email"] : nil,
+          unverified_email: raw_info["email"],
+          email_verified: raw_info["email_verified"],
+          first_name: raw_info["given_name"],
+          last_name: raw_info["family_name"],
+          image: raw_info["picture"],
+          locale: raw_info["locale"]
+        }.reject { |_, v| v.nil? || (v.respond_to?(:empty?) && v.empty?) }
+      end
+
+      credentials do
+        {
+          "token" => access_token.token,
+          "refresh_token" => access_token.refresh_token,
+          "expires_at" => access_token.expires_at,
+          "expires" => access_token.expires?,
+          "scope" => token_scope
+        }.compact
+      end
+
+      extra do
+        data = {
+          "raw_info" => raw_info,
+          "team_id" => raw_info["https://slack.com/team_id"],
+          "team_name" => raw_info["https://slack.com/team_name"],
+          "team_domain" => raw_info["https://slack.com/team_domain"]
+        }
+
+        id_token_raw = access_token["id_token"]
+        unless blank?(id_token_raw)
+          data["id_token"] = id_token_raw
+          decoded = verify_and_decode_id_token(id_token_raw)
+          data["id_info"] = decoded if decoded
+        end
+
+        data.compact
+      end
+
+      # Error raised when callback validation fails.
+      class CallbackError < StandardError; end
+
+      def authorize_params
+        super.tap do |params|
+          apply_request_authorize_overrides(params)
+          params[:nonce] ||= new_nonce
+        end
+      end
+
+      def callback_url
+        options[:callback_url] || options[:redirect_uri] || super
+      end
+
+      def query_string
+        return "" if request.params["code"]
+
+        super
+      end
+
+      def raw_info
+        @raw_info ||= access_token.get(USER_INFO_URL).parsed
+      end
+
+      private
+
+      def verify_and_decode_id_token(token)
+        return skip_jwt_decode(token) if options[:skip_jwt]
+
+        decode_and_verify_id_token(token)
+      end
+
+      def skip_jwt_decode(token)
+        payload, = JWT.decode(token, nil, false)
+        payload
+      rescue JWT::DecodeError
+        nil
+      end
+
+      def decode_and_verify_id_token(token)
+        jwk = fetch_jwk(extract_kid(token))
+        payload = decode_payload(token, jwk)
+        verify_nonce!(payload)
+        payload
+      rescue JSON::ParserError, ArgumentError, JWT::DecodeError => e
+        raise CallbackError, e.message
+      end
+
+      def verify_nonce!(payload)
+        return unless payload.key?("nonce")
+
+        expected_nonce = stored_nonce
+        return if payload["nonce"] == expected_nonce
+
+        raise CallbackError, "nonce does not match"
+      end
+
+      def fetch_jwk(expected_kid)
+        jwks = fetch_jwks_keys
+        matching_key = jwks.find { |key| key["kid"] == expected_kid }
+        raise CallbackError, "JWKS key not found: #{expected_kid}" unless matching_key
+
+        JWT::JWK.import(matching_key)
+      rescue JSON::ParserError, SocketError, SystemCallError => e
+        raise CallbackError, e.message
+      end
+
+      def fetch_jwks_keys
+        uri = URI(JWKS_URL)
+        response = Net::HTTP.get_response(uri)
+        raise CallbackError, "JWKS fetch failed: #{response.code}" unless response.is_a?(Net::HTTPSuccess)
+
+        JSON.parse(response.body).fetch("keys", [])
+      end
+
+      def extract_kid(token)
+        header_segment = token.split(".").first
+        decoded_header = Base64.urlsafe_decode64(pad_base64(header_segment))
+        JSON.parse(decoded_header)["kid"]
+      end
+
+      def decode_payload(token, jwk)
+        payload, = JWT.decode(
+          token,
+          jwk.public_key,
+          true,
+          decode_options
+        )
+        payload
+      end
+
+      def decode_options
+        {
+          algorithms: ["RS256"],
+          iss: ISSUER,
+          verify_iss: true,
+          aud: options.client_id,
+          verify_aud: true,
+          verify_iat: true,
+          verify_expiration: true
+        }
+      end
+
+      def new_nonce
+        session["omniauth.nonce"] = SecureRandom.urlsafe_base64(16)
+      end
+
+      def stored_nonce
+        session.delete("omniauth.nonce")
+      end
+
+      def apply_request_authorize_overrides(params)
+        options[:authorize_options].each do |key|
+          request_value = request.params[key.to_s]
+          params[key] = request_value unless blank?(request_value)
+        end
+      end
+
+      def token_scope
+        access_token.params["scope"] || access_token["scope"]
+      end
+
+      def pad_base64(value)
+        value + ("=" * ((4 - (value.length % 4)) % 4))
+      end
+
+      def blank?(value)
+        value.nil? || (value.respond_to?(:empty?) && value.empty?)
+      end
+    end
+
+    # Backward-compatible strategy name for existing callback paths.
+    class Slack < Slack2
+      option :name, "slack"
+    end
+  end
+end
+
+OmniAuth.config.add_camelization "slack2", "Slack2"
+OmniAuth.config.add_camelization "slack", "Slack"

data/lib/omniauth-slack2.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require "omniauth/slack2"

data/omniauth-slack2.gemspec

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "omniauth/slack2/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "omniauth-slack2"
+  spec.version = OmniAuth::Slack2::VERSION
+  spec.authors = ["Claudio Poli"]
+  spec.email = ["masterkain@gmail.com"]
+
+  spec.summary = "OmniAuth strategy for Slack OpenID Connect authentication."
+  spec.description =
+    "OpenID Connect strategy for OmniAuth that authenticates users with Slack and exposes profile metadata."
+  spec.homepage = "https://github.com/icoretech/omniauth-slack2"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 3.2"
+
+  spec.metadata["source_code_uri"] = "https://github.com/icoretech/omniauth-slack2"
+  spec.metadata["bug_tracker_uri"] = "https://github.com/icoretech/omniauth-slack2/issues"
+  spec.metadata["changelog_uri"] = "https://github.com/icoretech/omniauth-slack2/releases"
+  spec.metadata["rubygems_mfa_required"] = "true"
+
+  spec.files = Dir[
+    "lib/**/*.rb",
+    "README*",
+    "LICENSE*",
+    "*.gemspec"
+  ]
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "cgi", ">= 0.3.6"
+  spec.add_dependency "jwt", ">= 2.9.2"
+  spec.add_dependency "omniauth-oauth2", ">= 1.8", "< 2.0"
+end

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-slack2
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Claudio Poli
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cgi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.6
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.2
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: OpenID Connect strategy for OmniAuth that authenticates users with Slack
+  and exposes profile metadata.
+email:
+- masterkain@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/omniauth-slack2.rb
+- lib/omniauth/slack2.rb
+- lib/omniauth/slack2/version.rb
+- lib/omniauth/strategies/slack2.rb
+- omniauth-slack2.gemspec
+homepage: https://github.com/icoretech/omniauth-slack2
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/icoretech/omniauth-slack2
+  bug_tracker_uri: https://github.com/icoretech/omniauth-slack2/issues
+  changelog_uri: https://github.com/icoretech/omniauth-slack2/releases
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: OmniAuth strategy for Slack OpenID Connect authentication.
+test_files: []