Coldfusion: Oauth2, 'Invalid authorization code'/'invalid_grant' on token request

marc.polatschek · November 7, 2022, 9:55am

I try to build a server-to-server-integration for my Coldfusion site to zoom. So far getting the authorization code did work, but requesting the access token did not.

Its Coldfusion 11 (yep, quite old, but my company is currently still supporting this old version).

My Code:

	<cfset local.sBasicAuth = ToBase64( "CLIENT_ID:CLIENT_SECRET" )>

	<cfhttp
		method = "post"
		url = "https://zoom.us/oauth/token"
		result = "local.struCFHTTP"
		charset = "utf-8"
	>
		<cfhttpparam type="header" name="Accept" value="application/json">
		<cfhttpparam type="header" name="Content-Type" value="application/x-www-form-urlencoded">
		<cfhttpparam type="header" name="Authorization" value="Basic #local.sBasicAuth#">

		<cfhttpparam type="formfield" name="grant_type" value="authorization_code">
		<cfhttpparam type="formfield" name="code" value="CODE">
		<cfhttpparam type="formfield" name="redirect_uri" value="REDIRECT_URI">

	</cfhttp>

	<cfdump var="#local.struCFHTTP#">

Error Message:
|Charset |UTF-8|
|---|---|
|ErrorDetail |[empty string]|
|Filecontent |{reason:Invalid authorization code,error:invalid_grant}|
|Header |HTTP/1.1 400 Bad Request Date: Mon, 07 Nov 2022 09:46:55 GMT Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Connection: close x-zm-trackingid: v=2.0;clid=aw1;rid=WEB_090ca22cc7a5a418bda5a6052117b2b8 x-content-type-options: nosniff content-security-policy: upgrade-insecure-requests; default-src https://*.zoom.us https://zoom.us blob: 'self'; img-src https: about: blob: data: 'self'; style-src https: safari-extension: chrome-extension: 'unsafe-inline' data: 'self'; font-src https: safari-extension: chrome-extension: blob: data: 'self'; connect-src * about: blob: data: 'self'; media-src * rtmp: blob: data: 'self'; frame-src https: ms-appx-web: zoommtg: zoomus: wvjbscheme: data: 'self'; object-src 'none'; base-uri 'none'; x-frame-options: SAMEORIGIN set-cookie: zm_aid=; Domain=.zoom.us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly p3p: CP=NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM x-zm-zoneid: OH1 Cache-Control: no-store pragma: no-cache CF-Cache-Status: DYNAMIC Set-Cookie: zm_haid=; Domain=.zoom.us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly Set-Cookie: zm_tmaid=; Domain=.zoom.us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly Set-Cookie: zm_htmaid=; Domain=.zoom.us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly Set-Cookie: cred=403CFFC379EA474A027672A9E047812F; Path=/; Secure; HttpOnly Set-Cookie: _zm_page_auth=aw1_c_ZOc2jdauQ0ePFBTeLuw_7g; Domain=.zoom.us; Path=/; Secure; HttpOnly Set-Cookie: _zm_ssid=aw1_c_ZJQXr-q3QseKEw2aqFOBSA; Domain=.zoom.us; Path=/; Secure; HttpOnly Set-Cookie: _zm_ctaid=fbt8-4jUSGSGF34KkANrdQ.1667814415767.4fba24cbc05096cf7b7d882970fe3a71; Domain=.zoom.us; Expires=Mon, 07-Nov-2022 11:46:55 GMT; Path=/; Secure; HttpOnly Set-Cookie: _zm_chtaid=597; Domain=.zoom.us; Expires=Mon, 07-Nov-2022 11:46:55 GMT; Path=/; Secure; HttpOnly Set-Cookie: _zm_mtk_guid=9c386a92ac31411eb5842c4737def53b; Domain=.zoom.us; Expires=Wed, 06-Nov-2024 09:46:55 GMT; Path=/; Secure Set-Cookie: __cf_bm=R3L3G882Ab37Tw_xpkZRASuCzZZG_Ibp4CCbFfVYC8A-1667814415-0-ASjygfV+avhAZzz8k4P460Z3FO/0hPdxKcgkDEDeKYwxynYXXtWTzBMA1axh+bJ8GlXsK3WS6zI4q9h34mEtN9s=; path=/; expires=Mon, 07-Nov-22 10:16:55 GMT; domain=.zoom.us; HttpOnly; Secure; SameSite=None Report-To: {endpoints:[{url:https:\/\/a.nel.cloudflare.com\/report\/v3?s=FL%2BTnkzTq5mAD4HaoNxyEJ0oN6O%2FBbADVPD90Nl2xAUfF1hGp%2FHpXJqy8Hx4mgxs91vsO3qn6iRBOfoUGpkHNEV0%2BHrr%2FDp8TjTwPIotrfQ1Y5mkJL1YS1s%3D}],group:cf-nel,max_age:604800} NEL: {success_fraction:0.01,report_to:cf-nel,max_age:604800} Server: cloudflare CF-RAY: 76652501f9ba6d83-MUC alt-svc: h3=:443; ma=86400, h3-29=:443; ma=86400|
|Mimetype |application/json |

elisa.zoom · November 7, 2022, 4:01pm

Hi @marc.polatschek
Thanks for reaching out to the Zoom Developer Forum, I am happy to help here!
It looks like you are using the wrong set of credentials.
You do not need to pass the code or redirect_uri to generate access_Tokens with the Server to Server OAuth app.

Here is a topic that I wrote on how to use the Server to Server OAuth app type with Postman.

This might help you understand the issue you are seeing
Best,
Elisa

marc.polatschek · November 8, 2022, 2:36pm

Thanks for the reply. I somewhat got confused and messed up between the OAuth App and the Server to Server OAuth App.

In the end i need to create meetings, invite (and create) participants and stuff like that. Are both variants able to do this?

elisa.zoom · November 15, 2022, 8:11pm

Hi @marc.polatschek
You can do that with both apps (Server to Server OAuth app or just the OAuth app)
It depends on who will be using your app.
If it’s going to be internal (used by an application or yourself) I will encourage you to implement our Server to Server OAuth.
But if this is intended to be used by a 3rd party person, then an Oauth will be your best option.
Best,
Elisa

Topic		Replies	Views
Refresh token is giving response "reason":"Invalid Token!","error":"invalid_request" API and Webhooks	2	437	October 1, 2020
Oauth2, authorization_code Reports and Dashboards api	5	379	July 25, 2023
URGENT ### {“reason”:”Invalid authorization code ***”,”error”:”invalid_grant”} Zoom Apps	4	447	April 23, 2024
{"reason":"Invalid authorization code ***","error":"invalid_grant"} API and Webhooks	3	950	March 2, 2024
Requesting an access token using a refresh token "reason":"Invalid Token!","error":"invalid_grant" Authentication	3	221	October 18, 2023

Coldfusion: Oauth2, 'Invalid authorization code'/'invalid_grant' on token request

Related Topics