I want to understand the complete process of “deauthorizing from an app” for a marketplace-published Zoom OAuth app:
Hello, we are in the process of creating a Zoom application that is intended to be published on the Marketplace. One requirement I see for the submission is that it requires a Deauthorization URL. I want to understand more about this process.
The details about this are added here: Deauthorization
What I want to know is what are the next steps here? Let’s say, I added a reauthorization URL in my Zoom application and started listening to the reauthorization events as well. I follow the below steps:
- Added the death URL in my application
- Zoom sends me a POST request when a user deauthorizes from my application
- I process the request and perform the security validation suggested by Zoom.
- The security validation passes and validates that the request did come from Zoom and a user did de-authorize from the application.
Now, my question is about the next steps from this point. I have validated the de-authorization event from Zoom. What’s next? What else is required from my application here? What should it do after the security validation of the event? I am finding it hard to understand the next steps for this URL, as I understand that the user has already de-authorized and removed the access, so their access token will also stop working.
Can you please help me out with the next steps here?
@jalal Hope you will be fine.
You can test that OAuth flow DeAuth in this way
- Get DeAuth payload from Zoom
- Create Postman Request
- Send it to your endpoint & validate
- revoke user access token
If still no clear please ping me here (WhatsApp).
Hello, Team Zoom. Could I please get an update on this? Thank you.
I want to add some more details to my initial question. I need to understand the process after going through this thread and reading the reply by @gianni.zoom: Zoom Deauth - Compliance
@gianni.zoom said the following:
“you should revoke user access and remove their data ”
So, here’s what the process should look like.
- A user uninstalls the app from the Marketplace.
- Zoom sends a request to the De-authorization URL.
- Our app will validate the call and confirm that the notification came from Zoom.
- Our app will then delete all user information stored against that user in our app.
- Additionally, our app will make a /revoke call to invalidate that user’s access token. The revoke process can be found here: OAuth for user authorized apps
Now, is the above process correct, or do we not need to perform point 5, as Zoom will invalidate the access token on its own once the user uninstalls at point 1?
Please confirm the above process, thank you.
Hi @jalal ,
the user will not be able to access the app since it’s uninstalled but you are responsible for sending the revoke access token request.
So, even after the user uninstalls, the access token we have remains valid and we are responsible for manually revoking it using the API. I wanted to confirm this because in most cases, uninstalling an app revokes the access token automatically. Still, it seems like, in the case of Zoom, we have to revoke the access token using the API after we receive the notification of the uninstall.
Yes please call the revoke token endpoint! Thank you!