OAuth v2 (User OAuth) access response not returning bot token #1565
Description
Hello Slack Team,
We have a Java-based Slack integration that was built five years ago using the OAuth 2.0 authorization code flow (grant_type=authorization_code) with the https://slack.com/api/oauth.v2.access endpoint.
Previously in user OAuth v2 response included:
- A bot access token (xoxb-)
- A user access token (xoxp- under authed_user)
- Other installation metadata
Currently, we are using a User OAuth flow (user token installation). However, we now observe that the OAuth v2 response only includes the user token under authed_user.access_token, and no bot token is returned.
{ "ok": true, "app_id": "A0A0PEW**", "authed_user": { "id": "U05PT2MGTK7", "scope": "channels:read,files:read,im:read,search:read,users:read,channels:write,chat:write,files:write,im:write", "access_token": "xoxp-********", "token_type": "user" }, "team": { "id": "T035N3***", "name": "Test" }, "enterprise": null, "is_enterprise_install": false, "warning": "superfluous_charset" }
Below is the sample curl I am using.
curl --location 'https://slack.com/api/oauth.v2.access' \ --header 'Accept: application/json' \ --header 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \ --header 'Connection: Keep-Alive' \ --header 'Cookie: b=0e84c9e290876f34b72dcd9a14627595' \ --data 'code=3192123441.10612427735363****&grant_type=authorization_code&client_id=3192123***&client_secret=943b7148aa0c****&redirect_uri=https://***/api/1/rest/admin/oauth2callback/slack&user_scope=channels:read chat:write im:write users:read search:read'
This behavior is breaking our existing application. I would like to know when this change was introduced. Is it mentioned in any Slack API documentation? I need this information.