Which App Type (OAuth / Chatbot / JWT / Webhook)?
Oauth (+JWT)
I’ve been running a video editor for my users for the last 3 months or so. Was code complete. Somewhere last week something changed that broke my site/app.
This is the code I was running in PHP :
function get_access_token_and_user_id($oauth_token,$website_redirect,$Client_id,$Client_secret,&$user_id,&$access_token){
$url = ‘https://zoom.us/oauth/token?grant_type=authorization_code&code=’ . $oauth_token . ‘&redirect_uri=’ . $website_redirect;
$options = array(
‘http’ => array(
‘header’ => "Authorization: Basic " . base64_encode($Client_id . “:” . $Client_secret),
‘method’ => ‘POST’
)
);
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
if ($result === FALSE) {
return false;
}
$data = json_decode($result);
$access_token = $data->access_token;
$str_exploded = explode(‘.’,$access_token);
$final = json_decode(base64_decode($str_exploded[1]));
$user_id = $final->uid; // NOW THIS IS CORRECT
// $user_id = $final->userId; // THIS USED TO BE CORRECT
return true;
}
Why did you guys change this ? Seems an unrequired change that only breaks code without actually adding anything…
Not sure what you are trying to do. Are you trying to JWT Decode the access token? If so, doing so is not documented or supported, hence, could change anytime.
To get the userID of a user, use the Get User API.
Zoom responds with accessToken and refreshToken JWTs
3rd party stores the JWTs for later use. The accessToken JWT includes “userId” which is equivalent to the “host_id” returned by many Zoom API calls. “userId” is stored as an individual database field for easy lookup
And then: Zoom cloud recording webhook:
3rd party app receives a webhook call from Zoom
Webhook receiver code receives a JSON payload which includes payload.object.host_id
Search database for user with host_id == payload.object.host_id
Download the cloud recording and connect it to that user
None of this can happen anymore, because the accessToken no longer contains a field “userId”. It has been renamed to “uid”.
I now have to put yet another workaround in my Zoom code: check for tokenDecoded.uid || tokenDecoded.userId
I still respectfully disagree. It’s common practice to decode JWTs at either end and make use of that data. Any time an API changes an attribute name it is a breaking change.
Just because it’s “not listed in your docs” doesn’t mean that you can break common convention relating to it. I run a web app and none of my docs say “you can use a mouse to interact with this web app”, but I’m still not going to break mouse functionality one day for no reason.
