Verifying Slack Requests with Mutual TLS

Recently there was a question about how to authenticate requests from Slack via mutual TLS. The following walks through how to configure the BIG-IP to verify the identity of Slack requests and share this information with a backend Slack application. 

Slack App

Slack apps are nifty ways that you can create custom interactions. One example would allow you to create a custom command “/mtls” that would send a command to your own application server and send the response back into your Slack channel.

Verifying Slack Requests

When a request is sent from Slack to your backend server there are two ways that you can verify the identity of Slack.  

  1. Verify Signed Requests
  2. Use Mutual TLS

Signed Requests

When Slack sends a request to your application it includes a X-SLACK-SIGNATURE header. Using a 4-step process that is documented, your application can validate each request.  

Mutual TLS

The second option is to use Mutual TLS that is documented , this involves having a trusted proxy that is capable of validating Slack's client certificate.

Configuring a BIG-IP to Validate Slack Requests via Mutual TLS

To configure the BIG-IP you will need to

  1. Install your CA signed certificate that is trusted by Slack
  2. Install a CA certificate that was used by Slack to verify their client certificate
  3. Configure the BIG-IP to request a client certificate that is trusted by Slack’s preferred CA

The outcome of these three steps looks something like the following from the BIG-IP GUI.

To share this information with a backend application we use an iRule to follow the guidance from Slack’s documentation as well as add the content of the certificate that is presented by Slack.

In Action

Once you get the BIG-IP configured you can test out your Slack app (link to Code Snippet of my demo app). I modified the following tutorial .

In this example I created the command “/mtls”. 

When you run the command w/out using the BIG-IP validating the certificate you can see the request, but no information about the X-Client-Certificate-SAN that is used by Slack.

Using the BIG-IP to validate the certificate we can see that we can now share this information with the application via the X-Client-Certificate-SAN header that is added by the iRule.

More Mutual TLS

TLS provides a standard scheme for verifying the identity of Slack in this example. Mutual TLS is commonly used by customers in these types of B2B type of transactions and be a useful scheme for establishing a chain of custody between two parties. Let me know if you can think of other examples where Mutual TLS can be used similar to this example. Thanks for reading!

/eric out
Published Aug 30, 2019
Version 1.0

Was this article helpful?

No CommentsBe the first to comment