Slack
- Ory Console
- Ory CLI
Follow these steps to add Slack as a social sign-in provider to your project using the Ory Console:
-
Sign in to Ory Console and select Social Sign-in.
-
Click the switch next to the Slack logo to start the configuration.
-
Copy the Redirect URI and save it for later use.
-
After creating the new application, navigate to the OAuth & Permissions section of the registered application in Slack and add the saved Redirect URI from Ory to the Redirect URLs of the registered application.
-
Navigate to the Basic Information section of the registered application in Slack and copy the following data to the corresponding fields in the form in the Ory Console:
- Client ID
- Client Secret
-
In the Scopes field of the form in the Ory Console, add the following scopes:
identity.basicidentity.email
-
In the Data Mapping field of the form in the Ory Console, add the following Jsonnet code snippet, which maps the desired claims to the Ory Identity schema:
local claims = {
email_verified: true,
} + std.extVar('claims');
{
identity: {
traits: {
// Allowing unverified email addresses enables account
// enumeration attacks, if the value is used for
// verification or as a password login identifier.
//
// It's assumed that Slack requires an email to be verified to be accessible
// via OAuth (because they don't provide a email_verified field).
email: claims.email,
},
},
}<JsonnetWarning format="Jsonnet code snippets" use="data mapping" /> -
Click Save Configuration.
Follow these steps to add Slack as a social sign-in provider to your project using the Ory CLI:
-
In the created app, set the redirect URI to:
https://{project.slug}.projects.oryapis.com/self-service/methods/oidc/callback/slack -
Create a Jsonnet code snippet to map the desired claims to the Ory Identity schema.
local claims = {
email_verified: true,
} + std.extVar('claims');
{
identity: {
traits: {
// Allowing unverified email addresses enables account
// enumeration attacks, if the value is used for
// verification or as a password login identifier.
//
// It's assumed that Slack requires an email to be verified to be accessible
// via OAuth (because they don't provide a email_verified field).
email: claims.email,
},
},
}<JsonnetWarning format="Jsonnet code snippets" use="data mapping" /> -
Encode the Jsonnet snippet with Base64 or host it under an URL accessible to Ory Network.
cat your-data-mapping.jsonnet | base64 -
Download the Ory Identities config from your project and save it to a file:
## List all available projects
ory list projects
## Get config
ory get identity-config {project-id} --format yaml > identity-config.yaml -
Add the social sign-in provider configuration to the downloaded config. Add the Jsonnet snippet with mappings as a Base64 string or provide an URL to the file.
selfservice:
methods:
oidc:
config:
providers:
- id: slack # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!
provider: slack
client_id: .... # Replace this with the OAuth2 Client ID provided by Slack
mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"
# Alternatively, use an URL:
# mapper_url: https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17f22ce7f4295c739604b183f05ac4afb4t
scope:
- identity.basic
- identity.email
enabled: true -
Update the Ory Identities configuration using the file you worked with:
ory update identity-config {project-id} --file identity-config.yaml
Troubleshooting
When you add a social sign-in provider, you can encounter common problems such as:
- Redirect URI mismatch
- Redirect loops during registration
- Domain verification issues
To troubleshoot those issues, read Social sign-in troubleshooting.