Description/Error
My setup: I have an iOS app and Mac app. Both use Zoom OAuth to login and add/edit/delete meetings. Both use the same client ID.
When I login to Zoom on Mac, it seems to invalidate the tokens that i’ve stored on iOS. If i then re-login to iOS, the Mac’s tokens are invalidated.
Is each user only allowed a single OAuth access/refresh token per client ID, and each login invalidates any existing tokens?
Which Endpoint/s?
Oauth login, meetings endpoints
How To Reproduce (If applicable)
Steps to reproduce the behavior:
Login to Zoom with OAuth from my Mac app using my client ID
Can add/edit/delete meetings just fine on Mac
Login to Zoom with OAuth from my iOS app using same client ID
Can add/edit/delete meetings just fine on iOS
Cannot add/edit/delete meetings on Mac anymore, i get “Invalid Token”
Re-login to Zoom with OAuth on Mac
Can add/edit/delete meetings just fine on Mac
Cannot add/edit/delete meetings on iOS anymore, i get “Invalid Token”
Additional context
Am I understanding correctly that any active access/refresh token is immediately invalidated when that same user logs into Zoom using OAuth using the same client ID that was originally used? Is it not possible for a user to have 2+ OAuth sessions on a client ID?
When you say OAuth do you mean installing / reauthorizing a Zoom OAuth App multiple times across your devices? If so, then yes each time you go to the install url, it will revoke any prior access and refresh tokens.
Can you please share your use case?
That being said, there does seem to be a bug or feature request here.
Yes, i mean authorizing my app multiple times across 2+ apps using the same client ID.
my use case is a mac + iPad + iPhone app that uses zoom api to add/edit/list upcoming zoom meetings. I’m currently using the same zoom client ID across all 3 devices. when i authorize zoom on one of those devices, the other 2 devices log out.
My initial thought was to simply use multiple client IDs, and setup a mac client ID and an iOS client ID, but then i’d have the same problem for iPhone vs iPad. Those are shipped as the same iOS app, so if the user installs the app on their phone and also on their iPad, then the iPhone will logout the iPad, and vice-a-versa.
I’d like to be able to authorize a user on multiple devices, and have each device be independent of the others so that the user isn’t logged out on other devices when they add a new device.
So basically you are using Zoom OAuth as the primary authentication for your application? If so, Zoom OAuth was designed to “Connect” your Zoom account to an existing application, not to handle authentication for your app across all your devices.
The proper way to do this would be to handle authentication on your end, saving separate access_tokens and refresh_tokens for each device that logs in, or upon successful login send the existing access_token to the new device to use. Then “Connect to Zoom” via our OAuth to get a single reference access_token and refresh_token and save it in your users database along with your access_token and refresh_token records. That way on each authenticated device, their will be a single Zoom connection and that connection will be retained. Here is what a sample database would look like:
Users Table
user_id (primary key)
your_access_token
your_refresh_token
zoom_access_token
zoom_refresh_token
1
asdfkljhfjksal
kasiwqe
12fwfs3rg2r23.12ffasdf.fsadfas
oiwqe9832.asgpo0932
2
qweruiowrquwioer
zxcvjkasd
zxcv909.zxvzcxvn23.21asdfasdf
mopqower123.mzqqe
3
zxcvzxcvzxcv
sadfjhvkjo
poaaskf9v00zxcv.214nsdafo.asfg
d0194.vnasoiewq.avjadu382
Here is the flow:
User logs in using your authentication method
Upon successful login, you use their user_id or their your_access_token to look up the zoom_access_token you have stored for that user.
Use the zoom_access_token to make requests to the Zoom API.
The only application I have is local to the iPhone/iPad/Mac. There’s no central database/web application/users table to attach zoom tokens to so that they could be shared across devices. I don’t have a primary authentication - instead the application works out of the box without any user login, and users can choose to optionally connect to additional services from any of their devices on a per-device basis. Those connections don’t sync across devices, and all api requests are initiated from the device itself.
By comparison, we also allow users to connect their Google accounts to sync down calendar appointments, and in that case the user logs into Google using OAuth separately on each of their devices, receiving different access/refresh tokens each time, and those logins act entirely separately. Device A’s tokens aren’t invalidated when logging in a 2nd time on device B.
There’s a few other OAuth providers we let users connect to from their devices, and in each case the access/refresh tokens aren’t invalidated on their other devices. Zoom appears to be the only provider we’ve integrated that invalidates all other tokens after each successful oauth login.
