Current setup:
Our backend is handling all the Slack OAuth flow, and we have set up a redirect_uri on our frontend route which calls the backend endpoint (protected endpoint) to conduct all the required verification using state and code query params and cookie (set during the installation flow).
We also use Auth0 for authentication purposes. Frontend is using it as well.
The Problem:
We are trying to integrate the Slack Bot installation flow.
But the problem arises when Slack’s callback to our frontend route starts Auth0 authentication (since it observes that the call came from an unknown origin). When this Auth0 authentication is completed, Auth0 overrides the code and state query params initially that were sent by the slack server (because Auth0 also performs the authentication with its code and state query param). And hence as a result when frontend calls the backend endpoint (protected endpoint), slack oauth flow fails.
Possible solutions we came up with:
We were thinking of making our backend endpoint (which receives this state and code query param for slack oauth flow) public but the problem is that we manage our state generation logic (for the slack install flow) in our database and we don’t want to make any endpoint public which performs db operation.
I’ve also read the slack server authorize flow and it is mentioned in the API contract that the state parameter is expected - so we cannot do the renaming of the state parameter variable.
I want suggestions on how should I handle this oauth flow then.