Authenticate webhook POST from Zoom

stevejohnson · April 25, 2020, 8:55pm

The documentation for webhooks at https://marketplace.zoom.us/docs/api-reference/webhook-reference says that an ‘authorization’ header is sent by Zoom and the value can be compared to the Verification token shown on the Features page of my Marketplace app.

I have a number of webhooks being sent, none of which contain the ‘authorization’ header, that I can see. None of my logs show the verification token string being sent at all, anywhere in the POST request, as a header or otherwise.

Am I missing something?

I really need to authenticate POST requests to my endpoints; the only thing unique I see right now is a ‘clientid’ header.

Any ideas?

tommy · April 28, 2020, 9:11pm

Hey @stevejohnson,

What language are you using for your server?

The verification token should be included, but depending on how you are receiving requests it could differ where in the header to find it.

Thanks,
Tommy

stevejohnson · April 29, 2020, 4:38pm

PHP

This is output of PHP’s getallheaders() (sensitive values 'x’ed):
Array
(
[User-Agent] => Zoom Marketplace/1.0a
[Connection] => Keep-Alive
[Host] => xxxxxx.net
[Content-Length] => 290
[Content-Type] => application/json; charset=utf-8
[X-Zm-Trackingid] => Webhook_409f4a3e202c4f39b3ca598e4ddaff38
[Clientid] => xxxxxxxxxxxxxxxxx
)

And the relevant part of $_SERVER (again, 'x’ed)
[HTTP_USER_AGENT] => Zoom Marketplace/1.0a
[HTTP_CONNECTION] => Keep-Alive
[HTTP_HOST] => xxxxxxxx.net
[CONTENT_LENGTH] => 290
[CONTENT_TYPE] => application/json; charset=utf-8
[HTTP_X_ZM_TRACKINGID] => Webhook_409f4a3e202c4f39b3ca598e4ddaff38
[HTTP_CLIENTID] => xxxxxxxxxxxxx

tommy · May 4, 2020, 11:15pm

Hey @stevejohnson,

I belive the issue is on your PHP server configuration side of things. Checkout this stackoverflow:

Thanks,
Tommy

stevejohnson · May 4, 2020, 11:19pm

Thanks for that, didn’t occur to me to look there.

tommy · May 7, 2020, 6:01pm

Let me know if you resolve the issue @stevejohnson!

Thanks,
Tommy

stevejohnson · June 12, 2020, 5:53pm

Circling back around to this…

Adding the following to .htaccess file worked.

SetEnvIf Authorization “(.*)” HTTP_AUTHORIZATION=$1

If server configuration doesn’t allow SetEnvIf directives in .htaccess, may have to modify httpconf file.

michael.harrington · June 12, 2020, 3:55pm

Glad it worked @stevejohnson! Thanks for helping Tommy!

DeveloperBot · August 21, 2020, 10:00pm