Recently there was a question about how to authenticate requests from Slack via mutual TLS. The following walks through how to configure the BIG-IP to verify the identity of Slack requests and share this information with a backend Slack application.
Slack apps are nifty ways that you can create custom interactions. One example would allow you to create a custom command “/mtls” that would send a command to your own application server and send the response back into your Slack channel.
Verifying Slack Requests
When a request is sent from Slack to your backend server there are two ways that you can verify the identity of Slack.
Verify Signed Requests
Use Mutual TLS
When Slack sends a request to your application it includes a X-SLACK-SIGNATURE header. Using a 4-step process that is documented, your application can validate each request.
The second option is to use Mutual TLS that is documented , this involves having a trusted proxy that is capable of validating Slack's client certificate.
Configuring a BIG-IP to Validate Slack Requests via Mutual TLS
To configure the BIG-IP you will need to
Install your CA signed certificate that is trusted by Slack
Install a CA certificate that was used by Slack to verify their client certificate
Configure the BIG-IP to request a client certificate that is trusted by Slack’s preferred CA
The outcome of these three steps looks something like the following from the BIG-IP GUI.
To share this information with a backend application we use an iRule to follow the guidance from Slack’s documentation as well as add the content of the certificate that is presented by Slack.
Once you get the BIG-IP configured you can test out your Slack app (link to Code Snippet of my demo app). I modified the following tutorial .
In this example I created the command “/mtls”.
When you run the command w/out using the BIG-IP validating the certificate you can see the request, but no information about the X-Client-Certificate-SAN that is used by Slack.
Using the BIG-IP to validate the certificate we can see that we can now share this information with the application via the X-Client-Certificate-SAN header that is added by the iRule.
More Mutual TLS
TLS provides a standard scheme for verifying the identity of Slack in this example. Mutual TLS is commonly used by customers in these types of B2B type of transactions and be a useful scheme for establishing a chain of custody between two parties. Let me know if you can think of other examples where Mutual TLS can be used similar to this example. Thanks for reading!