actions icon indicating copy to clipboard operation
actions copied to clipboard

Published 20 hours ago verified publisher icon looker-open-source

Unnecessary Scopes in README

Open tim-fitzgerald opened this issue 5 years ago • 1 comments

Hi! Was recently asked at my org to install this bot for a team. Noticed that the README for Slack actions here ask the admin to create three scopes:

  • channels:read
  • users:read
  • files:write:user

The README then advises the user to only use the Bot token and there is no usage of the User Token. As per Slacks API documentation here:

Bot user tokens can't have resource-based OAuth scopes added to them, any scopes other than bot requested during the OAuth installation flow have no effect on the bot user token

Seems that creating scopes is completely unnecessary for this bots use case. I chose not to grant them at my org and my users are reporting it is still operating as expected. Unless Im missing another use case, Id recommend that this step be removed from the instructions so as not to create unnecessary security exposure by having those scopes.

tim-fitzgerald avatar Jul 02 '19 18:07 tim-fitzgerald

Thanks for the info! We'll confirm this is the case and edit the README as appropriate!

wilg avatar Jul 02 '19 18:07 wilg