Description
Currently, I can enter only two redirect URIs one for development and one for production.
Our application has three environments: development, staging, and production.
Should I redirect staging users to the development URI after the authorize request? Or maybe create one zoom app for my development environment and one zoom app for staging and production?
What’re your recommendations?
Another question:
Does it safe to expose the authorization code to the user (browser)? Not the access token of course, just the code, and then the browser will send the code to my server to generate the access token and make the requests to zoom API secretly.
Thanks,
Which App Type? OAuth
Which Endpoint/s? How To Reproduce (If applicable)
N/A
Few options, you could use 1 OAuth app, and then redirect to the respective environment by whitelisting your environment domain names. Due note that the Redirect URL and whitelist URLs need to have the same base domain. So you could add a sub domain redirect for each environment.
Or you could create a different OAuth app for each stage, however, a Zoom OAuth app has a development and production environment with separate credentials already built into a single OAuth app, so you could use the Testing Credentials for both development and staging.
Yes it is safe, and that is the recommended / industry standard OAuth2 flow.
About your first suggestion for my first question. Maybe I don’t understand you correctly but the redirect uri has to be static, isn’t ? so for example if I have dev.example.com and stg.example.com I can’t put both uris in the redirect uri app configuration.
I tried to set redirect URI to http://localhost:300*/, and it seems like it’s working!!
I can’t find documentation about the syntax. can you help to find it? (maybe there are other special chars I can use).
It can be dynamic!
How dynamic it can or should be?
The following would work?
Thanks @tommy, the redirect uri in the zoom app configuration has to be regex or something, otherwise I’ll get mismatch on the code to token request, isn’t?
Hi @tommy,
Our company provide an SaaS where each client site is distinct via a subdomain. We want to integrate Zoom in our Base Software, then all clients can use it. We created one Zoom Oauth2 App for integration and our client users can authorize using their zoom accounts. The problem is the redirect url base on our client subdomains, but we have too many clients (more than 500 and might be more in the future), hence it will be very painful to manually add these subdomains to the White List in Oauth2 configuration page.
This is totally possible! Let me walk you through how to do this with the base domain of example.com
For your whitelist, simply add your base domain: https://example.com
Then in your dev/prod redirect url field, add a default redirect, https://any.example.com (this will be programmatically overridden to the correct sub domain, continue reading below)
@tommy Thanks a lot!
I highly recommend that you add this in your documentation because this is a sort of a gray area in oauth2, and each Authorization Server implements this slightly different.
What will happen If I update the user settings from development environment? Will production environment also be able to update the setting for the same user?
Please look into the below mentioned ticket as well -