feat: add OpenID Connect support for Slack marketplace compliance (#1381)

Author: maartenpaauw

Provider.php

@@ -39,8 +39,12 @@ protected function getCodeFields($state = null)
     {
         $fields = parent::getCodeFields($state);
 
-        $fields['user_scope'] = $this->formatScopes($this->userScopes, $this->scopeSeparator);
-        $fields['scope'] = $this->formatScopes($this->scopes, $this->scopeSeparator);
+        if ($this->shouldUseOpenIdConnect()) {
+            $fields['scope'] = $this->formatScopes($this->userScopes, ' ');
+        } else {
+            $fields['user_scope'] = $this->formatScopes($this->userScopes, $this->scopeSeparator);
+            $fields['scope'] = $this->formatScopes($this->scopes, $this->scopeSeparator);
+        }
 
         return $fields;
     }
@@ -57,7 +61,13 @@ public function user()
 
         $response = $this->getAccessTokenResponse($this->getCode());
 
-        $user = $this->getUserByToken(Arr::get($response, 'authed_user.access_token'));
+        if ($this->shouldUseOpenIdConnect()) {
+            $token = Arr::get($response, 'access_token');
+        } else {
+            $token = Arr::get($response, 'authed_user.access_token');
+        }
+
+        $user = $this->getUserByToken($token);
 
         /** @var User $userInstance */
         $userInstance = $this->userInstance($response, $user);
@@ -68,13 +78,25 @@ public function user()
 
     protected function mapUserToObject(array $user)
     {
-        return (new User)->setRaw($user)->map([
-            'id'              => Arr::get($user, 'user.id'),
-            'name'            => Arr::get($user, 'user.name'),
-            'email'           => Arr::get($user, 'user.email'),
-            'avatar'          => Arr::get($user, 'user.image_512'),
-            'organization_id' => Arr::get($user, 'team.id'),
-        ]);
+        if ($this->usesOpenIdScopes()) {
+            $attributes = [
+                'id'              => Arr::get($user, 'sub'),
+                'name'            => Arr::get($user, 'name'),
+                'email'           => Arr::get($user, 'email'),
+                'avatar'          => Arr::get($user, 'picture'),
+                'organization_id' => Arr::get($user, 'https://slack.com/team_id'),
+            ];
+        } else {
+            $attributes = [
+                'id'              => Arr::get($user, 'user.id'),
+                'name'            => Arr::get($user, 'user.name'),
+                'email'           => Arr::get($user, 'user.email'),
+                'avatar'          => Arr::get($user, 'user.image_512'),
+                'organization_id' => Arr::get($user, 'team.id'),
+            ];
+        }
+
+        return (new User)->setRaw($user)->map($attributes);
     }
 
     public function getAccessTokenResponse($code)
@@ -87,13 +109,23 @@ public function getAccessTokenResponse($code)
         return json_decode((string) $response->getBody(), true);
     }
 
-    public function getAuthUrl($state)
+    public function getAuthUrl($state): string
     {
-        return $this->buildAuthUrlFromBase('https://slack.com/oauth/v2/authorize', $state);
+        if ($this->shouldUseOpenIdConnect()) {
+            $url = 'https://slack.com/openid/connect/authorize';
+        } else {
+            $url = 'https://slack.com/oauth/v2/authorize';
+        }
+
+        return $this->buildAuthUrlFromBase($url, $state);
     }
 
     protected function getTokenUrl(): string
     {
+        if ($this->shouldUseOpenIdConnect()) {
+            return 'https://slack.com/api/openid.connect.token';
+        }
+
         return 'https://slack.com/api/oauth.v2.access';
     }
 
@@ -102,10 +134,32 @@ protected function getTokenUrl(): string
      */
     protected function getUserByToken($token)
     {
-        $response = $this->getHttpClient()->get('https://slack.com/api/users.identity', [
+        if ($this->usesOpenIdScopes()) {
+            $url = 'https://slack.com/api/openid.connect.userInfo';
+        } else {
+            $url = 'https://slack.com/api/users.identity';
+        }
+
+        $response = $this->getHttpClient()->get($url, [
             RequestOptions::HEADERS => ['Authorization' => 'Bearer '.$token],
         ]);
 
         return json_decode((string) $response->getBody(), true);
     }
+
+    protected function shouldUseOpenIdConnect(): bool
+    {
+        return $this->usesOpenIdScopes() && empty($this->scopes);
+    }
+
+    protected function usesOpenIdScopes(): bool
+    {
+        $openidScopes = ['openid', 'email', 'profile'];
+        $identityScopes = ['identity.basic', 'identity.email', 'identity.team', 'identity.avatar'];
+
+        $hasOpenIdScopes = ! empty(array_intersect($this->userScopes, $openidScopes));
+        $hasIdentityScopes = ! empty(array_intersect($this->userScopes, $identityScopes));
+
+        return $hasOpenIdScopes && ! $hasIdentityScopes;
+    }
 }