2
votes

There seems to be an inconsistency in the Slack API docs in that the OAuth flow requires a client_secret be provided as part of the exchange of the code for the OAuth token as documented at https://api.slack.com/methods/oauth.access

However the client secret then needs to be embedded into the mobile app which goes against Slack's recommendations at https://api.slack.com/docs/oauth-safety which states:

Your Client Secret should be treated delicately. It is how you securely identify your application's rights and identity when exchanging tokens with Slack. Do not distribute client secrets in email, distributed native applications, client-side javascript, or public code repositories.

Are there any best practices available in terms of how to manage this discrepancy where the client secret seems to be required for auth but at the same time should not be embedded into the mobile app?

1
There is no need to store the client secret in your local mobile app. See the "web helper" approach in the my linked answer.Erik Kalkoken

1 Answers

2
votes

Slack only supports the Authorisation Code Flow for OAuth2.0 but it doesn't support public clients only confidential clients. It doesn't support the PKCE flow either.

Their FAQ page suggests using the RTM API if you a re developing a mobile app:

enter image description here