Frequently receiving invalid_request / token revocation from Zoom

The token we get from Zoom seems to have a long enough expiry, and we’re frequently communicating with Zoom, yet our users are seeing invalid_request every 24 hours. It’s frustrating them and we can’t figure out what we need to do to keep the token fresh.

OAuth authorization error, token revocation: Error Domain=org.openid.appauth.oauth_token Code=-2 "invalid_request" UserInfo={OIDOAuthErrorResponseErrorKey={
    error = "invalid_request";
    reason = "Invalid Token!";
}, NSUnderlyingError=0x600003363b10 {Error Domain=org.openid.appauth.remote-http Code=401 "{"reason":"Invalid Token!","error":"invalid_request"}" UserInfo={NSLocalizedDescription={"reason":"Invalid Token!","error":"invalid_request"}}}, request=<NSMutableURLRequest: 0x6000023b0080> { URL: https://api.zoom.us/v2/users/me/settings }, NSLocalizedDescription=invalid_request}

Why is this happening so frequently?

Hey @fahad.beehive,

Thanks for reaching out about this, and happy to help.

If you’re running into an invalid token error, keep in mind that access tokens expire after one hour. Once expired, you will have to refresh a user’s access token. The purpose of the refresh token is to request a new access token. Although the refresh token expires after 15 years, it becomes invalid after it is used to request a new access token. You will receive a new refresh token pair and an access token once you use the old refresh token. (You will have to update these old values with new ones.)

Typically, these are the most common reasons for such an error:

  1. If a new access token is generated, both the previous access token and refresh token will become invalid. So you will need to update each of these tokens each time you request a new access token.

  2. Another situation that can arise is if multiple requests are sent using the same refresh token within a short amount of time, a race condition may prevent all requests from going through successfully. In this case, if you are not able to update the refresh token at your end (this generally happens when you make multiple requests in a short amount of time), a recommended workaround would be to reauthorize the app.

  3. If a user uninstalls the app by revoking the authentication, the refresh token will become invalid. This may not be a scenario in your case.

Let me know if this helps—thanks!
Will

We’re doing everything as you’ve suggested. We have many other OAuth2 services using the same code: Google accounts, Microsoft accounts, Office 365 accounts etc. None of these exhibit the same issue.

We don’t make multiple requests at the same time. I feel Zoom should not invalidate the refresh token when the auth token gets invalidated - Google does not do this. This may be the reason why we’re seeing this many issues. It seems at times when the user’s connection drops for whatever reason (bad connection?), we make a new request and it’s then when Zoom has already invalidated both tokens!

This is happening to a large number of our users and I can only see occasional network timeouts that cause this. Because of this, our app needs to periodically (2 times a day!) request them to Re-authenticate. It’s becoming a support nightmare when this isn’t something we should have to deal with.

1 Like

I should add - we’ve also been testing some other iOS apps that integrate with Zoom and they seem to have the same issue. We’re prompted to authorize once a day. This seems abuse in the name of security. It seems when the app tries to connect to Zoom in the background, it possibly times out or iOS background limits kick in and possibly kill the app before it’s able to store the new refresh / auth tokens that were invalidated and returned by Zoom.

Either way, there needs to be a better way of handling this. Surely Google and Microsoft care about security as much as Zoom? Why is Zoom invalidating the refresh token in a way that creates known issues.

There’s no excuse for “frequent requests” to be causing this either, unless it is because of the race condition created by invalidating both tokens as soon as a request comes in. At least put an internal timeout and reset the refresh token after maybe 1 day of the last time it got used, unless it gets used again and this pushes it further (or it expires). This will prevent this from happening.

Hi @fahad.beehive,

Thanks for reviewing my tips and for the feedback. In order to help confirm what is causing this issue for you, can you please share an example of a recent token that threw this error? You can email this to us at developersupport@zoom.us and reference this thread.

This will help us to take a closer look.

Thanks,
Will

Thanks Will, however we don’t store or log our token IDs so I don’t know how to provide you with one. We have not been able to reproduce this on our mac but several of our customers are experiencing this problem daily. We don’t have any way of sharing the tokens.

We’ve managed to send a user a special build that logs the token. I’ve emailed developer support - if someone could please look into this for us.

Here’s what we’re doing:

  1. User authenticates with zoom, we save both refresh / access tokens

We do this each time:
2) Before each request made to Zoom, we check if a refreshed token is needed. We make a call to Zoom to refresh the tokens.
3) The returned refresh / access tokens are saved and re-used for subsequent requests (step 2).

We’ve added additional logging to our app and can see Zoom is failing to provide a new access token for a refresh token previously used (and still valid). This is for a mac app, where we make a single request to Zoom at a time. We’re not making multiple requests where we may end up requesting two different tokens. I don’t know what’s going on.

Also, I don’t know if this matters, but the user is using our app on three macs (each authenticated separately of course). Could this be causing automatic revocation? Can they use the same app authenticated multiple times on different machines?

Hi @fahad.beehive,

I can see that we’ve connected over email and I will continue the conversation there.

Thanks,
Will

We’re running into the same issue with our integration. If a resolution is reached, can you please post it back to this thread?

There seems to be no resolution for now - this is a bug with how Zoom handles OAuth. They invalidate your refresh token and auth tokens the moment the user authenticates on a different device.

@morgs.dovetail please see my post here:

Thanks,
Will

Zoom if you are keeping track we are also having this issue. Supporting multiple devices is an important part of most web apps in todays world. Thanks.

As a quick fix at least can Zoom not invalidate the previous refresh token so we can at least issue a new authorization token without having to re-auth from scratch?

I think Zoom is well aware of the problem, but perhaps don’t feel the urge to fix this since their own app doesn’t do this and have yet not experienced this by trying to use an app that keeps asking them to re-authorize every single day. If they can force their engineer(s) into a room for three days with nothing but an app that does this, they may soon realize how frustrating this is for both users and developers that keep hearing about this multiple times a day every single day.

Point to me ONE other app in this entire universe that does this and I will rest my case. This is not expected behavior, this is not a security feature; this is a glaring oversight and an embarrassing flaw in the current authorization flow that must take precedence over any new feature that the team is working on.

This is so bad that even our users don’t buy the excuse - they refuse to believe that Zoom cannot handle more than one active device at a time. I feel unless I start forwarding all these emails we receive, to zoom, this problem may never get fixed.

Thanks again for your feedback Fahad. I understand the frustration and this is an experience we’re hoping to improve. I’ve put in a feature request for this internally, and will be happy to share any developments on this as I have them. (ZOOM-251271)

Thank you,
Will

Many thanks Will! I’m only nitpicking but this doesn’t really fall under a feature request. It’s a bug-fix request :slight_smile:

Understood—thanks Fahad. :slight_smile:

Hi! I am experiencing the exact same issue. What was the final verdict of this? Is Zoom investigating or do we just have to build in fallback behavior on our end if we are not able to get a new access token?

As Will said, I believe it’s been reported to the development team. I would like to however add that since the last time I posted a message, we’ve continued to receive complaints daily from our users trying to use their account on our app across multiple devices. The need to reauthorize every day across devices is getting to everyone’s nerves.