Getting "500: Unable to exchange external code" when using signInWithOAuth for Slack

[betocmn]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When using the simple "Sign in with Slack" things work normally. If I customise the request to add certain required query_params, then I get these two error messages:

"server response missing access_token"
"500: Unable to exchange external code"

Here's an example of the full error response:

{"component":"api","error":"oauth2: server response missing access_token","level":"error","method":"GET","msg":"500: Unable to exchange external code: 7788618443378.6134758635009.924ff79a34f487e4781425c976g50aa0c8a5d6fb7c8f623c8a624b961fd6e576","path":"/callback","referer":"https://develop.asyncbrain.com","remote_addr":"206.32.96.26","time":"2023-10-31T13:12:29Z","timestamp":"2023-10-31T13:12:28Z"}
Timestamp
2023-10-31T13:12:29.000Z

Metadata
[
  {
    "message": null,
    "timestamp": "2023-10-31T13:12:28Z",
    "__MONOTONIC_TIMESTAMP": null,
    "CODE_FUNC": null,
    "instance_id": null,
    "status": null,
    "_CMDLINE": null,
    "method": "GET",
    "_SYSTEMD_CGROUP": null,
    "CODE_FILE": null,
    "EXECUTABLE": null,
    "_EXE": null,
    "UNIT": null,
    "level": "error",
    "_COMM": null,
    "duration": null,
    "issuer": null,
    "_LINE_BREAK": null,
    "_SOURCE_REALTIME_TIMESTAMP": null,
    "msg": "500: Unable to exchange external code: 7788618443378.6134758635009.924ff79a34f487e4781425c976g50aa0c8a5d6fb7c8f623c8a624b961fd6e576",
    "action": null,
    "login_method": null,
    "_UID": null,
    "host": "db-xxxxxxxxxxxxxxxx",
    "PRIORITY": null,
    "_CAP_EFFECTIVE": null,
    "_PID": null,
    "INVOCATION_ID": null,
    "_SYSTEMD_UNIT": null,
    "source_type": null,
    "SYSLOG_FACILITY": null,
    "request_id": null,
    "CODE_LINE": null,
    "path": "/callback",
    "component": "api",
    "project": null,
    "user_id": null,
    "auth_event": [],
    "args": [],
    "referer": "https://develop.domain.com",
    "factor_id": null,
    "provider": null,
    "client_id": null,
    "remote_addr": "203.32.98.28",
    "_SYSTEMD_SLICE": null,
    "_SYSTEMD_INVOCATION_ID": null,
    "header": null,
    "_MACHINE_ID": null,
    "_AUDIT_LOGINUID": null,
    "_TRANSPORT": null,
    "_SELINUX_CONTEXT": null,
    "MESSAGE_ID": null,
    "__REALTIME_TIMESTAMP": null,
    "metadata": [],
    "_STREAM_ID": null,
    "metering": null,
    "time": null,
    "_GID": null,
    "_BOOT_ID": null,
    "SYSLOG_IDENTIFIER": null,
    "_AUDIT_SESSION": null,
    "error": "oauth2: server response missing access_token"
  }
]

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

Set the below to the onClick of a button.

client.auth.signInWithOAuth({
  provider: 'slack',
  options: {
    redirectTo: redirectFullURL,
    queryParams: {
      scope:
        'chat:write,commands,users.profile:read,users:read.email,users:read',
      user_scope: 'openid,email,profile',
      granular_bot_scope: '1',
    },
  },
})

Expected behavior

The login should succeed which would also install the slack app on this user's slack workplace.

Screenshots

This is the authorise screen on Slack that still works. But after clicking to "allow" we get the errors mentioned on the top.

System information

• OS: macOS
• Browser (if applies) chrome
• Version of Node.js: v18.16.0

Additional context

If you remove the entire "queryParams" from the code above , then everything works.

[kangmingtay]

Hi @betocmn, thanks for bringing this to our attention, it seems like the OAuth API we use for slack has been moved to "Legacy" and they now have a V2 API.

Some of the fields passed into the queryParam option are not supported by the Legacy API:

• "user_scope"
• "chat:write"

Removing these scopes will allow the oauth2.0 flow to succeed, although it might not return a provider access token with the full set of permissions you want. We can put this on the roadmap but it's not going to be prioritised because the team is quite tight on bandwidth right now.

[kangmingtay]

If you want to use the legacy bot APIs, it only accepts the "bot" scope. See https://api.slack.com/authentication/token-types#bot for reference

[Interperle]

@kangmingtay what's the current status of this issue?

[Nitsorn]

Would love an update here as well @kangmingtay thank you!

[hf]

The team is busy with other priorities. Feel free to submit a PR to get yourselves unblocked and we'll prioritize reviews.

[zhawtof]

Just a heads up but after June 4, 2024, Slack will no longer allow users to create legacy apps

https://api.slack.com/changelog/2024-04-discontinuing-new-creation-of-classic-slack-apps-and-custom-bots

[NickPuljic]

This is preventing us from building on Supabase (we require modern Slack OAuth) - is there any update on when this will be prioritized or could you point me where in code to start looking and I may look into a PR?