Bug: Desktop Client generates malformed OAuth redirect URL (& instead of ?) — affects ALL Marketplace apps

Zhengbang · March 9, 2026, 7:09am

Summary

The Zoom Desktop Client constructs a malformed redirect URL when a user who is not logged into the Zoom web portal clicks “Add” on any Marketplace app. The continue parameter is appended with & instead of ?, producing a URL with no valid query string delimiter. This results in a 400 error in the browser.

This is a Zoom client-side URL construction bug — it is not specific to any individual app or developer integration. We have confirmed it affects first-party and third-party apps alike (Google Drive, Workday, our own app, etc.).

Steps to Reproduce

Log out of Zoom on the browser (zoom.us).
Log in to the Zoom Desktop Client using Google OAuth or Apple OAuth (SSO).
Open the App Marketplace inside the desktop client.
Search for any app — e.g., “Google Drive”, “Workday”, or any other Marketplace app.
Click the “Add” button.
A browser window opens with a malformed URL → 400 error.

Expected Behavior

The desktop client should construct a valid URL with ? as the query string delimiter:
https://zoom.us/google_oauth_signin?continue=https%3A%2F%2Fzoom.us%2Foauth%2Fauthorize%3Fclient_id%3D…

Actual Behavior

The desktop client uses & where ? should be:

https://zoom.us/google_oauth_signin&continue=https%3A%2F%2Fzoom.us%2Foauth%2Fauthorize%3Fclient_id%3D…

Since there is no ? anywhere in the URL, the server treats the entire path as a resource path rather than a path + query string, and returns a 400 Bad Request.

Manually replacing &continue= with ?continue= in the browser address bar produces the correct behavior — the user is taken to the Zoom sign-in page and then redirected to the app’s OAuth consent flow.

Scope of Impact

All Marketplace apps are affected — this is not app-specific.
All users who authenticate to the Desktop Client via Google or Apple SSO but have not separately logged into zoom.us in their browser.
Both google_oauth_signin and apple_oauth_signin paths exhibit the same behavior, suggesting the bug is in shared URL-building logic within the desktop client.

Workaround

If the user logs into zoom.us in their browser before clicking “Add” in the desktop client, the OAuth redirect is bypassed entirely and the app installs correctly.

Environment

Zoom Desktop Client Version: 6.7.7 (76486)
OS: macOS
Tested apps: Google Drive, Workday, Microsoft 365

Why This Matters for Developers

This bug creates a broken first-run experience for any Marketplace app whose users authenticate via Google or Apple SSO on the desktop client. As app developers, we have no control over the URL that Zoom constructs when the user clicks “Add” — this is entirely within Zoom’s client-side code. Users hitting a 400 error on install will assume the app is broken, leading to abandonment and negative perception of our apps.

We’ve filed a support ticket (TS2256244) which has been escalated, but wanted to raise visibility here in case other developers are seeing the same issue or can confirm.

Has anyone else encountered this?

Topic		Replies	Views
Incorrect error message "Invalid redirect url" during OAuth authorization API and Webhooks	46	10323	March 22, 2021
Invalid redirect URL (4700) for marketplace listed app API and Webhooks	2	709	August 26, 2021
Invalid redirect: ... (4,700) Authentication	4	1293	March 21, 2023
Randomly see Invalid redirect url(4700) error when auth the App App Marketplace	2	860	March 5, 2021
Invalid redirect URL 4700, but URL is valid Meetings	3	852	September 21, 2022