I am testing my app locally. It is not published yet. My redirect page is opened and a code= parameter is passed to it. On that page, I’m attempting to get the access token using that code. I am blocked by CORs (403 response to the OPTIONs request). I include the Authorization header as described in your documentation (clientID and client secret, separated by a colon, base64-encoded)… but that header is not in the OPTIONs request that Chrome is sending. Is that what is required? Is there something else going on here? Does my hostname need to be on a whitelist?
REQUEST:
OPTIONS https://zoom.us/oauth/token HTTP/1.1
Host: zoom.us
Connection: keep-alive
Accept: /
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization
Origin: MYLOCALTESTINGSYSTEMHERE
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Sec-Fetch-Dest: empty
Referer: MYLOCALTESTINGSYSTEMHERE
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
RESPONSE:
HTTP/1.1 403
Date: Thu, 17 Mar 2022 20:44:16 GMT
Content-Length: 20
Connection: keep-alive
Server: nginx
x-zm-trackingid: WEB_b36dcbca206428369e1759af0a9b45ed
x-zm-cluster-id: local
x-zm-routing-result: 1$local$local$local
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
Invalid CORS request