Summary
Connect All Slack OAuth flow completes in popup, but integration status remains Connect / Connect again in onboarding modal.
User-visible behavior
- Open Connect All modal.
- Click Slack
Connect.
- Complete Slack auth in popup.
- Close popup.
- UI keeps Slack in unconnected state (button resets to
Connect/Connect again).
Expected behavior
After successful Slack OAuth callback, onboarding should switch Slack row to Connected and stay connected on reopen.
Likely root cause
Slack OAuth client credentials appear inconsistently wired between setup scripts, ExternalSecret mappings, and deployment env keys, so dlp-proxy may run without SLACK_CLIENT_ID / SLACK_CLIENT_SECRET.
dlp-proxy requires these env vars for Slack OAuth start/exchange:
dlp-proxy/main.py (SLACK_CLIENT_ID, SLACK_CLIENT_SECRET)oauth_start hard-fails if SLACK_CLIENT_ID is missing.
- K8s deployment expects secret keys
slack-client-id / slack-client-secret.
- ExternalSecret currently maps only
slack-bot-token / slack-app-token (not Slack OAuth client id/secret keys).
- Setup script creates
slack-bot-token / slack-app-token, but not slack-client-id / slack-client-secret.
Because onboarding verifies status via /oauth/tokens/{user_id}?provider=slack, any failure to persist Slack tokens leads to a non-200 verify response and the button resets to Connect.
Evidence (repo refs)
- Frontend resets button on verify failure:
assets/onboarding.js (verifyOAuth catch path)
- Verify endpoint returns 404 when tokens are missing:
dlp-proxy/main.py (/oauth/tokens/{user_id})
- Slack OAuth env and start path:
dlp-proxy/main.py (SLACK_CLIENT_ID, SLACK_CLIENT_SECRET, /oauth/start)
- K8s secret key expectations:
k8s/dlp-proxy-deployment.yaml
- ExternalSecret key mapping:
k8s/secrets-external.yaml
- Setup-created secret names:
No-change diagnostic checklist
Run these in the target cluster/environment:
- Validate Slack OAuth envs on running
dlp-proxy pod:
kubectl -n open-os get deploy dlp-proxy -o jsonpath='{.spec.template.spec.containers[0].env[*].name}' | tr ' ' '\n' | rg 'SLACK_CLIENT_ID|SLACK_CLIENT_SECRET'Expected: both names present.
- Validate
openos-secrets contains keys deployment expects:
kubectl -n open-os get secret openos-secrets -o json | jq -r '.data | keys[]' | rg 'slack-client-id|slack-client-secret|slack-bot-token|slack-app-token'
Expected for OAuth flow: slack-client-id and slack-client-secret exist.
- Probe Slack OAuth start endpoint from app URL:
curl -i "https://os.envsn.com/oauth/start?provider=slack&user_id=test-user"
Expected: 302 redirect to https://slack.com/oauth/v2/authorize....
Failure signal: 500 with SLACK_CLIENT_ID not configured.
- Watch
dlp-proxy logs during OAuth attempt:
kubectl -n open-os logs deploy/dlp-proxy -f | rg -i 'slack|oauth|token exchange|not configured|error'
Expected on success: token saved log line for user.
Failure signals: token exchange errors or missing client id/secret errors.
- Verify status endpoint for the same user id after callback:
curl -i "https://os.envsn.com/oauth/tokens/<USER_ID>?provider=slack"
Expected: 200 JSON with {"connected": true, ...}.
Failure signal: 404 No tokens for this user.
Notes
This issue is focused on the Slack Connect All status behavior only (no code changes proposed in this ticket).
Summary
Connect AllSlack OAuth flow completes in popup, but integration status remainsConnect/Connect againin onboarding modal.User-visible behavior
Connect.Connect/Connect again).Expected behavior
After successful Slack OAuth callback, onboarding should switch Slack row to
Connectedand stay connected on reopen.Likely root cause
Slack OAuth client credentials appear inconsistently wired between setup scripts, ExternalSecret mappings, and deployment env keys, so
dlp-proxymay run withoutSLACK_CLIENT_ID/SLACK_CLIENT_SECRET.dlp-proxyrequires these env vars for Slack OAuth start/exchange:dlp-proxy/main.py(SLACK_CLIENT_ID,SLACK_CLIENT_SECRET)oauth_starthard-fails ifSLACK_CLIENT_IDis missing.slack-client-id/slack-client-secret.slack-bot-token/slack-app-token(not Slack OAuth client id/secret keys).slack-bot-token/slack-app-token, but notslack-client-id/slack-client-secret.Because onboarding verifies status via
/oauth/tokens/{user_id}?provider=slack, any failure to persist Slack tokens leads to a non-200 verify response and the button resets toConnect.Evidence (repo refs)
assets/onboarding.js(verifyOAuthcatch path)dlp-proxy/main.py(/oauth/tokens/{user_id})dlp-proxy/main.py(SLACK_CLIENT_ID,SLACK_CLIENT_SECRET,/oauth/start)k8s/dlp-proxy-deployment.yamlk8s/secrets-external.yamlscripts/setup-gcp.shNo-change diagnostic checklist
Run these in the target cluster/environment:
dlp-proxypod:Expected: both names present.
openos-secretscontains keys deployment expects:Expected for OAuth flow:
slack-client-idandslack-client-secretexist.curl -i "https://os.envsn.com/oauth/start?provider=slack&user_id=test-user"Expected:
302redirect tohttps://slack.com/oauth/v2/authorize....Failure signal:
500withSLACK_CLIENT_ID not configured.dlp-proxylogs during OAuth attempt:Expected on success: token saved log line for user.
Failure signals: token exchange errors or missing client id/secret errors.
curl -i "https://os.envsn.com/oauth/tokens/<USER_ID>?provider=slack"Expected:
200JSON with{"connected": true, ...}.Failure signal:
404 No tokens for this user.Notes
This issue is focused on the Slack
Connect Allstatus behavior only (no code changes proposed in this ticket).