After authenticating OAuth app, redirect_uri is persisted in a cookie, causing redirects back to the app on any zoom login

We are developing an OAuth user level App to enable integration with our scheduling service. We have everything working except we are seeing a strange behavior during user authentication. When in our application, we direct the user to enable the Zoom integration and authenticate with the OAuth app using the following URL:

(trying to avoid links since I’m a new user, so bear with me)

http:// zoom. us/oauth/authorize?client_id=<our_client_id>&response_type=code&redirect_uri=https://<link-to-our/application/zoom/integration>

If the user is not signed in, they sign in via SSO and are prompted to authorize the app, then they are redirected to our redirect_uri with the authorization code appended. That all works as expected.

The problem is that when this happens, there is a cookie saved on the user’s browser named _zm_bu. This cookie contains the oauth/authorize URL that was last used to sign in, and it includes the redirect_uri parameter to our service, same as above. When this cookie is present, anytime I login to zoom through the website (e.g, just https:// zoom. us), I get redirected back to our service, instead of my profile page on zoom. On some browsers the cookie clears when the browser closes, but in Chrome with certain settings (Continue where you left off), that cookie will persist across a restart and this behavior would be very confusing to users if they log into zoom and get redirected to the our service instead.

Is there a way to prevent that cookie from being set if they sign in via the oauth flow? If that’s not possible is there a URL where we can redirect the user after they’ve completed the authentication flow that would remove this cookie or change it back to the default? I tried using this: https:// zoom. us/oauth/authorize…etc…?redirect_uri= after whitelisting that URL in our app, but it will only work if the user is signed out and has to sign back in again. Once they are signed in, going to that link will not change the cookie.

The user should not be redirected to our redirect_uri when signing in to the Zoom website directly.

Which App Type (OAuth / Chatbot / JWT / Webhook)?

Which Endpoint/s?

How To Reproduce (If applicable)
Steps to reproduce the behavior:

  1. Setup an OAuth app.
  2. Sign out of zoom.
  3. “Install” the app by visiting a link similar to the one above for oauth/authorize
    4.During this installation, sign in via SSO and authorize the app (the issue is not reproducible if you’re already signed in, or if you sign in directly without SSO!)
  4. You will be redirected to your redirect_uri - you can ignore if this page doesn’t do anything
  5. Navigate to https:// zoom. us and sign out
  6. Stay on https:// zoom. us and sign in again
  7. You will be redirected to the redirect_uri in step 5

Additional context
During the oauth authorize step, you must be prompted to sign in and use SSO.
Clearing the _zm_bu cookie will clear the issue, and on some browsers, closing the browser window may clear the issue, but not always (ie. Chrome with Continue where I left off)

Hey @jlevine,

Thanks for sharing this, we are aware of the issue and are working on a fix! (ZOOM-153729)