Verifying Slack Requests with Mutual TLS
Recently there was a question about how to authenticate requests from Slack via mutual TLS. The following walks through how to configure the BIG-IP to verify the identity of Slack requests and share this information with a backend Slack application.
Slack apps are nifty ways that you can create custom interactions. One example would allow you to create a custom command “/mtls” that would send a command to your own application server and send the response back into your Slack channel.
Verifying Slack Requests
When a request is sent from Slack to your backend server there are two ways that you can verify the identity of Slack.
- Verify Signed Requests
- Use Mutual TLS
When Slack sends a request to your application it includes a X-SLACK-SIGNATURE header. Using a 4-step process that is documented, your application can validate each request.
The second option is to use Mutual TLS that is documented , this involves having a trusted proxy that is capable of validating Slack's client certificate.
Configuring a BIG-IP to Validate Slack Requests via Mutual TLS
To configure the BIG-IP you will need to
- Install your CA signed certificate that is trusted by Slack
- Install a CA certificate that was used by Slack to verify their client certificate
- Configure the BIG-IP to request a client certificate that is trusted by Slack’s preferred CA
The outcome of these three steps looks something like the following from the BIG-IP GUI.
To share this information with a backend application we use an iRule to follow the guidance from Slack’s documentation as well as add the content of the certificate that is presented by Slack.
In this example I created the command “/mtls”.
When you run the command w/out using the BIG-IP validating the certificate you can see the request, but no information about the X-Client-Certificate-SAN that is used by Slack.
Using the BIG-IP to validate the certificate we can see that we can now share this information with the application via the X-Client-Certificate-SAN header that is added by the iRule.
More Mutual TLS
TLS provides a standard scheme for verifying the identity of Slack in this example. Mutual TLS is commonly used by customers in these types of B2B type of transactions and be a useful scheme for establishing a chain of custody between two parties. Let me know if you can think of other examples where Mutual TLS can be used similar to this example. Thanks for reading!