Authorization codes generated from the zoom app are no longer valid (Invalid authorization code)

API Endpoint(s) and/or Zoom API Event(s)
/oauth/token

Description
Users can no longer generate access tokens in our apps. We use the zoom apps sdk (“authorize/onAuthorized” flow) to generate the authorization code, then pass the code to our server where it is used to get an access token.

This was working in our published app up until very recently (at least 2 weeks ago we know for sure this was working).

Have verified that nothing seems to have changed according to your docs, stuff like the Basic auth header, and the request parameters seem fine.
The request body includes the following parameters:

code=xyz, grant_type=authorization_code, redirect_uri=xyz, code_verifier=xyz

We use the “plain” code challenge method since its the only thing you support for …reasons I’m sure.
The generated authorization code looks like the same format as before, nothing stands out as weird. The redirect url and client_id/client_secret in the basic auth header matches what is configured in the apps marketplace page (and yes I have checked that its using the production credentials etc - plus it was working until the last few days).

We are aware that the authorization code is single use, and it is not stored after it has been used to get an access token.

Have also tested the access token request using the authorization code we get when installing the app from the store, and those codes work. The same server-side function requests the access token for both flows on our end, so I do not see how anything can be wrong there seeing as it is working for the authorization codes we get in the app install url.
The only difference between those flows is that one uses the code challenge/verifier, and as stated that part was working fine until recently. I found some log entries with invalid_grant starting from April 6th, but they started on masse yesterday (April 15th)

Have also looked at our apps in the marketplace, and there are no warnings or anything to indicate that there is an issue with how the apps are set up.

Has anything changed on your end around PKCEs or this oauth flow in the last weeks?

How To Reproduce
Use the “authorize/onAuthorized” flow in zoom apps sdk to generate an authorization code. Attempt to exchange the code for an access token.
Token endpoint then responds with:
400 Bad Request {“reason”:“Invalid authorization code”,“error”:“invalid_grant”}

Hi @aaanders
Thanks for reaching out to us and welcome to the Zoom Developer Forum!
Hum, this is interesting. I will send you a DM to take a closer look at this issue

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Thanks @aaanders! Sharing your findings here:

It seems like there was a change on how in-client oauth works. It is now using “s264” PKCEs instead of “plain” as was the case up until a few days ago.

I will share this with our Docs team to update our docs accordingly