Error in Refreshing with refresh tokens

I’m Integrating Zoom service with our service projects. Please have a look on below scenario

Scenario 1: While Integrating Zoom account A with user A on project A,B I’m getting same access token and refresh tokens no problems arise.

Scenario 2: While Integrating Zoom account A with user A on project A and after 1hour integrating same Zoom account A with project B I’m getting different access token and refresh tokens (differ with project A ).
After Integration I’m creating zoom meeting with project A after 1hour (token expired for project A). I’m getting response as invalid access token while hitting API call for updating new access and refresh token . I followed up with your documentation stats"Refresh Tokens have a lifespan of 15 years. When you refresh an access token, you will also get a new refresh token that you need to use in your next refresh. Store the new refresh token safely for the next time when you try to refresh the tokens." since i had not used up this refresh token before why i’m getting invalid refresh token(lifespan 15yrs).

Hey @ezhilvelan006 thanks for reaching out!

I believe the issue is you generated a new access_token which then made your previous refresh_token invalid.

Each time you refresh your access_token in the response you also get a new refresh_token that you need to use the next time you refresh your access_token.

Also make sure your refresh token request is accurate

POST REQUEST URL https://zoom.us/oauth/token?grant_type= refresh_token&refresh_token={{ REFRESH TOKEN HERE }}

POST REQUEST BODY:

{
"Authorization" : "Basic base64Encode({{client_id here}}:{{client_secret here}})"
}

Does that help explain things?

Thanks,
Tommy

No Tommy.

I had not generated new access_token. At very first time, I’m integrating Zoom account A and stored all the details from response. I’m just integrated the same Zoom account A again after 1 hour in that i found different different access and refresh tokens. Is 1st integration details will not be valid after 2nd integration with same Zoom account ???. Using 1st integration details i’m trying to create a Zoom meeting link. But i found access token expired so i’m refreshing 1st integration details with refresh token (token received on 1st integration). In this scenario i’m getting response as invalid refresh token. My question is why refresh token is to be invalid since i had not used anywhere this refresh token, i’m integrated the same zoom account again that all. How it will affect the 1st integration details. I followed up with your documentation - i found refresh token is valid for 15yrs until refreshing for new access token then how it been receiving response as invalid refresh token.
Regards,
Ezhilvelan

Hey @ezhilvelan006,

I’m confused, what do you mean by “Integrating” (when you see the access and refresh tokens change)?

Are you reinstalling the app or something else?

Thanks,
Tommy

Hey Tommy,
Integration means Authentication using oAuth.

Authenticating again using same Zoom account. No reinstalling the app.

Thanks,
Ezhilvelan

Thanks @ezhilvelan006,

Can you double check you are following the correct flow?

Here is the flow from start to finish on a per install basis,

  1. Go to url below (or click install app button on app dashboard) to authorize your app,

GET https://zoom.us/oauth/authorize?response_type=code&client_id={YOUR_CLIENT_ID}&redirect_uri={YOUR_REDIRECT_URI}

Grab the authorization code in the redirect url https://yourRedriectUrl.com?code={AUTHORIZATION_CODE}

  1. Then request an access token

POST https://zoom.us/oauth/token?grant_type=code&redirect_uri={YOUR_REDIRECT_URI}&code={AUTHORIZATION_CODE}

HEADERS: {"Authorization": "Basic BASE64ENCODED(CLIENT_ID:CLIENT_SECRET)"}

This will give you an access_token and refresh_token

The access_token is different per user and lasts for one hour.
The refresh_token is different per user and lasts for 15 years (unless you refresh access_token in which it becomes invalid and you get a new one)

You want to store both of these.

Now let’s say your access_token is no longer valid

  1. You need to refresh the access_token,

POST https://zoom.us/oauth/token?grant_type=refresh_token&refresh_token={REFRESH_TOKEN}

HEADERS: {"Authorization": "Basic BASE64ENCODED(CLIENT_ID:CLIENT_SECRET)"}

Now this will return a new access_token AND a new refresh_token. You need to store these new values as the old ones are now invalid.

You can use the access_token to call Zoom API’s, and when the access_token is expired, repeat step 3 for that user to get a new access_token and refresh_token.

Let me know if this helps, otherwise I will look into your account specifically.

Thanks,
Tommy

@tommy I’m not sure if this related but we’re seeing inconsistent refresh results. We are refreshing tokens in a batch and 99% of the time it works fine, but occasionally it will fail on a portion of the refresh requests with the Invalid refresh Token error message. Is this a known issue and what can we do about it so that our users are not constantly having to reauthorize our app?

1 Like

Hey @Ryan_Chapman,

Possible duplicate / relation to:

https://devforum.zoom.us/t/how-to-refresh-token-if-refresh-token-in-incorrect

Can you PM me with your app id (path in url when on app marketplace dashboard) and account email and we will take a look?

Thanks,
Tommy

@tommy I am experiencing same issue, the token was authenticated only once. and when it was used to generate new, I got this error that its invalid refresh token. which is really wierd. I can be sure about it being a fresh one because whenever I refresh a token, I have an update call for it. however this my friend doesn’t seem to work.

Hey @muhammad.faizan.cs,

Can you confirm your app is still installed? Can you try reinstalling the app and trying the refresh flow again?

(The reports we have gotten about this recently were looked into and they were due to users uninstalling the app, or the refresh token being user already).

Thanks,
Tommy

Hey, @tommy. Seems that I have a problem refreshing token, that looks like mentioned above.

  1. I have correct access_token and I have correct refresh_token. An access_token has been obtained once via OAuth. “Correct refresh_token” = some time later after an error, I refresh token successfully with the refresh_token value I had (and which caused error on first usage).
  2. I refresh access_token every time when I receive error code 124 (“Access token expired”) for any of my API requests.
  3. I use PHP cURL to do this.
  4. Sometimes (yes, it’s a floating problem) I receive HTML error “Invalid client_id: (4,702)” on “grant_type=refresh_token&…” request and my application isn’t ready for that.

Here are my HTTP dumps (with credentials and cookies obfuscated) with some of my notices, that might help to resolve my issue (and maybe some other’s ones):
https://pastebin.com/CL4bmh1W

In a few words: I see HTTP 302 redirect to a zoom.us/oauth/signin URL with empty client_id parameter as a response to ?grant_type=refresh_token… request.
Might it be a problem source?

1 Like

Hey @ilia.krendelev,

Are you passing in the authorization header when refreshing the tokens each time?

https://marketplace.zoom.us/docs/guides/auth/oauth#refreshing

Thanks,
Tommy

Yes, I do that every time.

In my dump paste I have replaced my authorization credentials by BASE64_ENCODED_CLIENTID_colon_CLIENSECRET placeholder, but they are present in every grant_type=refresh_token request and are correct (defined as constants and never changed).

Hey @ilia.krendelev,

Thanks for the details, can you share your App name so I can investigate further?

-Tommy

Hi @tommy,

I think I’m having a similar issue as @ezhilvelan006 who originally created this thread, but just switching his different “projects” with our “tenants”.

We have multitenant support in our application, so a given user (with email A) can have accounts in both Tenant1 and Tenant2, which are totally isolated environments (with different login credentials). This means that if the user wants to connect our app to his Zoom account, he will repeat the OAuth flow twice, once for each tenant.

The problem here is that once he completes the OAuth flow on the second tenant, he gets a new refresh token, which invalidates the previous refresh token that was created for the first tenant (stored separately).

How can we go around this issue?

One possible fix would be to store the ZoomUserId beside the refresh token, and when a new refresh token is generated, we update all DB records for that ZoomUserId.
Does that make sense or there are other alternatives?
Also this wouldn’t be that easy if we end up storing different tenant info in different databases, which we eventually plan to do so.

Thank you,
Miroslav

Hey @miroslav.grozdanovsk,

Your best option here is to have 2 seperate OAuth apps, one for each tenant.

This is my other suggested solution! :slight_smile:

Thanks,
Tommy

Hi @tommy,

The main problem with separate OAuth apps is that we create new tenants on each new registration in a fully automated way. So I’m guessing it wouldn’t be possible or desirable to keep creating N Oauth apps for N tenants.

@miroslav.grozdanovsk are you able to store current refresh_tokens for each userId?

@michael.zoom, yes

Hey @miroslav.grozdanovsk,

We will have multiple token support for each authenticated user in the future.

For now, you can update or share the tokens across the multiple logins / tenants.

Thanks,
Tommy