API Endpoint(s) and/or Zoom API Event(s)
https://api.zoom.us/v2/report/operationlogs
https://api.zoom.us/v2/report/activities
Description
We have been receiving 400 No Permission errors when querying for activity and operation logs from several (but not all) of our customers’ Zoom OAuth apps, and for those affected, we started getting this error at the same time.
When guiding customers to setup their OAuth app for integration with us, we require them to setup the application with the Report with “View report data” scope. Did something change with those endpoints and the scopes required?
Also, we notice the docs we used to reference for these endpoints are no longer valid. Did these endpoints get deprecated?
Error?
status 400 Bad Request message No permission.
How To Reproduce
We have not been able to reproduce this with the OAuth apps we’ve created in our Zoom account. This issue has presented in some of our customers’ OAuth apps, not all.
2 Likes
Hey @yapanther , welcome to the Zoom dev community.
The most likely change is to the role permission associated with the scope rather than the scope associated with these endpoints.
Check that the users who have installed the applications also have permission to view Admin Activity Logs and Sign In/Sign Out reports in their role permission under Reports.
To check this, an account owner (or someone who can edit Role Permissions) can navigate to zoom.us/role and on the left sidebar – Admin > User Management > Roles. In the role associated with the installed user, navigate to Reports. Here, make sure the user has view access to Admin Activity Logs and Sign In/Sign Out.
We did change our documentation, and some previous links may be updated. Here are the docs for those endpoints:
On a separate note, we highly suggest you use one single OAuth application published to our App Marketplace both for compliance and easier management of the scopes available to the integration. Our Marketplace Developer Agreement requires third-party integration to go through a functional and security review. We’d be happy to help review any questions on this, docs on this are available here: https://developers.zoom.us/docs/distribute/
2 Likes
Hey Michael, thanks for getting back to us.
This week, we managed to surmise that user role permissions were in play here (i.e. the user who created the app) and have begun working with customers on recreating their apps with a user who has the requisite permissions, so good to know that was, in fact, the source of the problem.
Regarding your note about a change on Zoom’s side
The most likely change is to the role permission associated with the scope rather than the scope associated with these endpoints
Could you share any more information about the timeline of when this change happened? We’re working on a post-mortem and would like to include info on this change if relevant.
Regarding creating an official OAuth app, we will certainly look into it!
1 Like
Hey @yapanther, the change came from increased specificity in the role permission causing a mismatch between these user’s roles (the data available to them) and the resources requested by the endpoint. The change allowed users (and their admins) to specify whether they should have access to some but not all reports (ex: user activity reports). When the increased specificity was introduced, users could not access these resources through the API until their admin grants them this permission.
1 Like
I see. Is there some way we can be notified in advance for such changes in the future?
1 Like
@michael.zoom we would like to make sure this doesn’t happen again, is there a way we can know when a change like this is coming? Are there any known upcoming changes that are similar to this one? It breaks an integration for many of our customers.