RFC: Optional synced source for Slack allowed_users

[antigenius0910]

Proposal

Problem

[slack].allowed_users is currently a static list in TOML / ConfigMap. In orgs where the canonical "who can use this bot" lives in an IdP group (Okta, Azure AD, LDAP, etc.) or other external directory, keeping that list in sync by hand is tedious and drifts.

This RFC proposes a minimal opt-in hook so operators can point openab at an externally-managed list, while keeping openab core IdP-agnostic. Slack only for this RFC; other platforms can adopt the same pattern in follow-ups if their communities want it.

Proposed shape

Add two new optional fields to [slack], mutually exclusive with the existing inline allowed_users:

[slack]
# Mode A — inline static list (existing, unchanged)
allowed_users = ["U1", "U2"]

# Mode B — externally-managed file
synced_allowed_users_path = "/etc/openab/sync/allowed_users.toml"
synced_allowed_users_stale_after = "1h"   # optional, default 1h

Setting both is a config-load error. allow_all_users = true still bypasses both.

External file format reuses the same allowed_users key so syncers don't have to learn a second schema:

# Managed by an external syncer; do not edit by hand.
# Generated: 2026-06-14T08:21:00Z
allowed_users = ["U0AB", "U0CD"]

Key behaviour

• Reload: the file is watched (matching openab's existing usercron reload pattern); atomic swap on change.
• Stale detection: if file mtime > synced_allowed_users_stale_after, existing sessions keep going but new sessions are refused — prevents an IdP outage from instantly locking everyone out while staying fail-closed for new traffic.
• Read failure / malformed file: keep last-known-good; never silently degrade to empty.
• Empty list is legitimate (group was emptied) and is applied as-is.

Reference syncer (out of openab core)

A reference Okta-Groups → file syncer is the obvious first consumer of this contract. Small (~few-hundred-LOC) single-purpose binary; runs as a sidecar in openab's Pod or as a separate Deployment / CronJob; reads Okta group members, resolves emails → Slack IDs via users.lookupByEmail, writes the file atomically.

This syncer lives outside openab core to keep openab IdP-agnostic. Any syncer (Azure AD, LDAP, CMDB, even a static CSV upload) that produces a compliant file works.

Open question for maintainers: would you prefer the reference Okta syncer to live (a) in a small new repo under the openab org, (b) as a sub-component of an existing repo, or (c) under a community / personal org with a docs link? Happy with any direction.

Open questions

1. notify-based file-watch vs polling — would like to match whatever usercron does today for consistency.
2. File format: TOML (consistent with the rest of openab) vs newline-delimited (simpler for syncers). Recommending TOML.
3. Stale-threshold default: 1h reasonable for IdP syncs that run every 5–15min.
4. Should Slack allowed_channels get the same treatment in a follow-up RFC? Same shape, but explicitly out of scope here to keep this one small.
5. Reference syncer home (see above).

Feedback welcome on the contract shape, mutual-exclusion semantics, failure modes, and reference-syncer placement. Happy to iterate before any implementation work.

[CHC-Agent]

Issue at a Glance

  IdP (Okta/Azure AD)          External Syncer          openab
         │                           │                     │
         ├─ group members ──────────►│                     │
         │                           ├─ resolve email→ID ─►│ (Slack API)
         │                           │◄─ Slack user IDs ───┤
         │                           │                     │
         │                           ├─ write allowed_users.toml ──►│
         │                           │   (atomic swap)              │
         │                           │                     ├─ file watch (reload)
         │                           │                     ├─ stale check (mtime)
         │                           │                     └─ apply access control

Hi @antigenius0910,

This RFC proposes an externally-managed file source for [slack].allowed_users, keeping openab IdP-agnostic while enabling automated sync from identity providers. The contract is well-defined: a TOML file with the same allowed_users key, watched for changes, with stale detection and fail-closed semantics for new sessions.

Current state:

• allowed_users is a static inline list in TOML config (since PR feat: add allowed_users config for per-user access control #108, extended by PR feat(gateway): add allowed_users/allowed_channels access control #648)
• allow_all_users = true bypass exists (PR feat(config): add allow_all_channels / allow_all_users flags #476)
• No file-watch or external-source mechanism exists today

Related:

• feat: add allowed_users config for per-user access control #107 by @masami-agent — CLOSED (original allowed_users feature)
• feat(config): add explicit allow_all_channels / allow_all_users flags #475 by @thepagent — CLOSED (allow_all flags)
• feat(gateway): add user and channel allowlist filtering for LINE (and other webhook platforms) #643 by @juntinyeh-worker — CLOSED (gateway allowlist for LINE)
• PR feat: add allowed_users config for per-user access control #108 by @masami-agent — MERGED (allowed_users implementation)
• PR feat(config): add allow_all_channels / allow_all_users flags #476 by @chaodu-agent — MERGED (allow_all flags)
• PR feat(gateway): add allowed_users/allowed_channels access control #648 by @chaodu-agent — MERGED (gateway allowed_users/channels)

Open questions from the author remain for maintainer input: syncer home (openab org vs external), file format (TOML vs newline-delimited), and stale-threshold default.

[github-actions]

⚠️ This issue is missing the following required information and will not be processed until completed:

• Use Case

Please edit this issue to fill in the missing fields. Thank you!

Tip: Use headings like ## Description or ### Description — common synonyms (e.g. ## Problem, ## Reproduction, ## Motivation) are also accepted.