Description
I would like to get some clarification on the usage of client_credentials type of access_token which is used to subscribe for different events for an account.
Here are the steps used while testing:
A ‘General app’ type marketplace app, GEN_APP, is created using an account ACT1. This is still in ‘Development’ and in ‘Production’ mode so is limited to this account ACT1. CLIENT_ID & CLIENT_SECRET from this app is stored.
The admin user of this account ACT1 tries to install this app GEN_APP and calls: MARKETPLACE/authorize?client_id=<CLIENT_ID>&response_type=code&redirect_uri=<REDIRECT_URL>
Code is received in the REDIRECT_URL and then OAuth process is initiated using “grant_type”:“authorization_code” which results in getting access_token (AUTH_ACCESS_TOKEN_1). This access_token is subsequently used for API resource calls.
Once the above step is complete, one more access_token (CLIENT_ACCESS_TOKEN) is fetched using “grant_type”:“client_credentials”. Please note, there is no need of ‘code’ parameter here received in Step 3. This new access_token is subsequently used to subscribe for different events using /v2/marketplace/app/event_subscription for above ACT1 (payload consists of “events”:[“meeting.ended”], “event_webhook_url”:<WEBHOOK_CALLBACK>, “subscription_scope”: “account”, “account_id”: ACT1). “event_subscription_id”: SUBS_ID_1 is received.
So once the above things are done, events are being received in the above WEBHOOK_CALLBACK. This is all good so far.
But now, I am interested in getting one more account ACT2 to install this GEN_APP.
This admin of ACT2 would have to go through the same above steps. However, I have my concern related to the access_token for grant_type:client_credentials for event subscription for this ACT2.
Can I use the same CLIENT_ACCESS_TOKEN received in above Step 4. to subscribe for events for this new account ACT2 or yet another one needs to be created?
Since there is no ‘code’ dependency and this is kind of marketplace app specific, I assume the same CLIENT_ACCESS_TOKEN can be used for this new ACT2.
Since our marketplace GEN_APP is still in ‘Development’ mode, I am unable to test this for the other account ACT2 in my setup.
When you go through the auth processes you have the client_access and secret which allows the app to be initiated.
Each user will get an access token back which is unique to that user on that account.
This is how zoom, in most cases, will identify who has connected.
If another user goes through the oauth process, then they will get back a different access token.
This is how Zoom can tell who is who.
I said most, becusae if you use the appsdk in a Zoom app, then those calls are authorised becasue you are in the Zoom App and authorsed by it. However you would still need the token if you did an API call back to Zoom.
Hi @expertswho
I think I wasn’t clear enough when I said:
“This admin of ACT2 would have to go through the same above steps. However, I have my concern related to the access_token for grant_type:client_credentials for event subscription for this ACT2.”
Yes, I am aware that each user will have to fetch unique access_token in order to use for API calls. And this access_token is for grant_type: authorization_code. This case is clear, as mentioned before.
However, I am talking about the other type of access_token used for event subscription i.e. grant_type: client_credentials. This is obtained using client_id & client_secret of the marketplace app ONLY and does NOT have the ‘code’ dependency during 0Auth process.
hi @ucczoomaruba ,
The OAuth secret process returns a copy that is unique for that user using your app.
It DOES not return the same code for every OAuth.
Each customer/user must have done the OAuth to get their secret key and their refresh key.
For each api, you will then be passing back that code and an encoded string, which gives you the authority to request the api.
Zoom will then check that API call against the scopes you have requested, and will then return the data if it is a valid request
.
There are so many examples from Zoom
Hi @expertswho
I am sorry to say that my concern is not understood again.
Let me try to explain it again:
First step for each user/account is to initiate below authorize call to get ‘code’:
oauth/authorize?response_type=code&client_id=ZOOM_CLIENT_ID&redirect_uri=ZOOM_REDIRECT_URL
I am aware of OAuth process where using ‘code’ param received during redirect URL, each user/account will request for access_token & refresh_token to access/call API resources. And this is done using:
POST https://zoom.us/oauth/token?grant_type=authorization_code
Please note, above grant_type is authorization_code and this access_token obtained is for subsequent API calls such as for:
/v2/metrics/meetings/<MEETING_ID>/participants?type=past.
And I am also aware this access_token is unique to each user/account. So each user/account/customer would have to get a different one using the client_id & client_secret & code params to get this.
The access_token obtained using grant_type: client_credentials, is used to subscribe to events such as “meeting.started” using below APIs dynamically:
POST /marketplace/app/event_subscription
For this access_token, only the client_id & client_secret of the marketplace app is required and no ‘code’ param, due to which it seems to be NOT a unique for each user/account. However, the subscriptions in step. 6 are for each user/account based on the payload for the event_subscription API. Also note, there is no refresh_token for this type. This token expires after 3599 and the same process has to followed to get a new token without refresh_token.
And I did NOT have to call below authorize call for redirection to get ‘code’ for this, as it’s not required here:
oauth/authorize?response_type=code&client_id=ZOOM_CLIENT_ID&redirect_uri=ZOOM_REDIRECT_URL
This above step is also fine. It’s working all fine so far i.e. obtaining access_token (grant_type:client_crendentials) & subscribing events. I am even getting the event notifications to my webhook URL registered once the meeting starts.
So now coming to my concern.
I just want to confirm whether the access_token that is obtained using grant_type: client_credentials, i.e. in above step. 5, remains same for each marketplace app, and whether the same one can be used to subscribe for events for different users/accounts (with different payloads consisting of “account_id” & others mentioned in my previous comment)?
(As I mentioned before, I could have tested this myself but there is a limitation with unpublished marketplace apps where other users/accounts cannot install it, so I am unable to test this currently)
It would be great if some extra eyes can be added to this issue, perhaps from your team. @elisa.zoom can you please help in this?
I hope my above details will help this time to understand my actual issue.
And I seriously hope that I am not missing anything here or not understanding what you have replied so far.
Feel free to ask for more info, if required.
Thanks
Hi @ucczoomaruba thanks for reaching out to us and thanks @expertswho for jumping in and sharing your experience!
You are spot on! You can generate access tokens using grant_type=client_credentials to create event subscriptions for a specific app. This token can only be used with that set of endpoints, and it will only work for the specific app it was generated for.
So yes, you should be able to use it with different payloads but always against the same app.