Binds a Slack user to a user on an internal application. Account binding allows a user to use an internal integration in Slack to read or modify information in another application whilst respecting the existing access controls.
In order to implement this app blueprint, you need to be able to make changes to the internal application to add a new endpoint which will be used in the account binding process.
When someone uses a slash command associated with the Slack app, the app will receive an HTTP POST request that contains the user's Slack user ID and the command they invoked. Using this Slack user ID, the app can search a data store to check if it already know who the user is in the internal application. If the user is found, the command can be run against the other application on behalf of the user. The results can then be sent back to Slack as a well-formatted message.
The following steps assume that a matching user was not found in the data store and the account binding process needs to be kicked off.
In order to link a Slack user to a user on the internal application, we need the user to authenticate into the internal system whilst carrying some information that can tie them securely back to the Slack user (who initiated the slash command). To do this, the app generates a unique token (a nonce), stores it in a database alongside the Slack user ID, and passes it into the URL of a page that's behind authentication on the internal system. As soon as the user authenticates into the internal system, the unique token in the URL can be used search for the user's Slack ID from the database.
The association URL (the URL that contains the nonce and that's behind authentication on the internal system) is sent to the user as an ephemeral message in response to the slash command which invoked the action. An ephemeral message is only visible to the user who ran the slash command.
Once the user clicks the association URL in the ephemeral message, they are sent to a page on the internal application and if they are not already logged in, it'll prompt them to do so using the typical authentication flow. Once a user session is established, the nonce is extracted from the URL and queried for in the database. The application will then store the user ID of the user who has been authenticated in the session alongside the Slack user ID and nonce in the database.
After the accounts have been bound, the user will see a success response sent via the web app. At the same time a confirmation message is sent to the user in a Slack DM using the chat.postMessage web API method.
To post into a restricted channel, this kind of app must either be installed by a team admin approver _or_ a user with posting permissions in that channel.
