Hi Zoom Team,
We were writing the auth code flow with PKCE using the postman blog (which is great)
and we noticed something that is a bit concerning… when hitting the /oauth/token endpoint, it doesn’t seem to be honoring the code_verifier when its purposefully incorrect and still issuing the tokens.
Below are some snippits for repro
// PKCE (Proof Key for Code Exchange) utilities
export function generateCodeVerifier(): string {
const array = new Uint8Array(32);
crypto.getRandomValues(array);
return base64URLEncode(array);
}
export async function generateCodeChallenge(verifier: string): Promise {
const encoder = new TextEncoder();
const data = encoder.encode(verifier);
const hash = await crypto.subtle.digest(‘SHA-256’, data);
return base64URLEncode(new Uint8Array(hash));
}
function base64URLEncode(buffer: Uint8Array): string {
return btoa(String.fromCharCode(…buffer))
.replace(/+/g, ‘-’)
.replace(///g, ‘_’)
.replace(/=+$/, ‘’);
}
// params for call for /authorize
const params = new URLSearchParams({
response_type: ‘code’,
client_id: ZOOM_CONFIG.clientId,
redirect_uri: ZOOM_CONFIG.redirectUri,
code_challenge: codeChallenge,
code_challenge_method: ‘S256’,
// scope: ZOOM_CONFIG.scope,
});
// Token call params
const base64Encoded = Buffer.from(
${myProcess.env.VITE_ZOOM_CLIENT_ID}:${myProcess.env.VITE_ZOOM_CLIENT_SECRET}
).toString(“base64”);
const tokenResponse = await fetch(“https://zoom.us/oauth/token”, {
method: “POST”,
headers: {
“Content-Type”: “application/x-www-form-urlencoded”,
Authorization: Basic ${base64Encoded},
},
body: new URLSearchParams({
grant_type: “authorization_code”,
code,
redirect_uri: myProcess.env.VITE_ZOOM_REDIRECT_URI,
client_id: myProcess.env.VITE_ZOOM_CLIENT_ID,
code_verifier: codeVerifier + “thisshouldnotwork”,
}),
});
notice how we append a string “thisshouldnotwork” with the intention of it failing, but it does not.