Currently, I can enter only two redirect URIs one for development and one for production.
Our application has three environments: development, staging, and production.
Should I redirect staging users to the development URI after the authorize request? Or maybe create one zoom app for my development environment and one zoom app for staging and production?
What’re your recommendations?
Does it safe to expose the authorization code to the user (browser)? Not the access token of course, just the code, and then the browser will send the code to my server to generate the access token and make the requests to zoom API secretly.
Which App Type? OAuth
Which Endpoint/s? How To Reproduce (If applicable)
Few options, you could use 1 OAuth app, and then redirect to the respective environment by whitelisting your environment domain names. Due note that the Redirect URL and whitelist URLs need to have the same base domain. So you could add a sub domain redirect for each environment.
Or you could create a different OAuth app for each stage, however, a Zoom OAuth app has a development and production environment with separate credentials already built into a single OAuth app, so you could use the Testing Credentials for both development and staging.
Yes it is safe, and that is the recommended / industry standard OAuth2 flow.
About your first suggestion for my first question. Maybe I don’t understand you correctly but the redirect uri has to be static, isn’t ? so for example if I have dev.example.com and stg.example.com I can’t put both uris in the redirect uri app configuration.
I tried to set redirect URI to http://localhost:300*/, and it seems like it’s working!!
I can’t find documentation about the syntax. can you help to find it? (maybe there are other special chars I can use).
It can be dynamic!
How dynamic it can or should be?
The following would work?
Our company provide an SaaS where each client site is distinct via a subdomain. We want to integrate Zoom in our Base Software, then all clients can use it. We created one Zoom Oauth2 App for integration and our client users can authorize using their zoom accounts. The problem is the redirect url base on our client subdomains, but we have too many clients (more than 500 and might be more in the future), hence it will be very painful to manually add these subdomains to the White List in Oauth2 configuration page.