How can I create an OAuth App only used for the master and its sub-accounts without publishing?

– Background –
We have a main master account and can create unlimited sub-accounts under it.

Currently, we leverage JWT to operate most of the user operations like creating a user, updating user profiles/settings, creating/scheduling users’ meetings, adding/updating sub-accounts’ plans and moving users from one sub-account to another one etc.

Unfortunately, the only thing that the JWT can not be leveraged is the user authentication.

Hence, we have to have our owned user authentication flow and the implementation.

– Plan –
We hope to leverage Zoom’s authentication like Google’s or Facebook’s and leverage the OAuth App to retrieve the basic user profile so we could do the rest operations behind by JWT or OAuth (which means, we don’t have to implement/maintain/manage users’ authentication anymore).

However, we don’t want to create each OAuth App per every single sub-account, instead, we hope only one OAuth App is created and can be used by all users in the master account and in its new/existing sub-accounts, and the same OAuth App only available for and published within the master account and its sub-accounts.

How can I achieve this? Thank you.

Hey @ct_yen,

Thank you for reaching out to the Zoom Developer Forum. If you create an account-level OAuth app from your master account, it should be available for all sub-accounts as well. Have you tested accessing such an app from your sub-accoounts? If so, please let me know if you’re encountering any issues.

Thanks,
Max

Hi, @MaxM

Based on my test, an OAuth App is created on the master account, a user under one of the sub-accounts can’t not install that App once the Zoom login is succeeded. Should I adjust anything on the App to let it work? Thank you.

image

Both User-level and Account-level OAuth App had been tried. The screenshot shown below is the result from account-level OAuth. It seems the account-level OAuth is restricted for users with admin role only.

image

Hey @ct_yen,

Thank you for testing that, I confirmed this on my end so it looks like the OAuth app will need to be published in order for it to be available to Sub-Accounts. Sorry for the misinformation there!

What’s your use-case for installing a non-published OAuth app? If you don’t want to publish the app and you only intend to use it with sub-accounts, JWT Authentication may work best in conjunction with the Master Account APIs.

I hope that helps! Let me know if you have any questions.

Thanks,
Max

Hi, @MaxM

Our use case is that we would like to leverage Zoom’s authentication to make sure the registered user is the right owner with the valid session period then can access our portal, and also can do sigh-up from our portal if the user is the new one then automatically help the user to register his/her email to Zoom and create a Zoom account for the user by our back-end process.

For OAuth App publishing, it is a manually process with Zoom’s review, if we have to create a OAuth app per each account, new users can’t access our portal right away once they just sign-up from our portal because we have to manually create an OAuth App and send it to Zoom for review first. Secondly, if the user is moved from one account to another, then the user has to confirm and agree the different OAuth App again and again.

Regarding the JWT authentication you recommend, if users login on Zoom’s portal, how can we retrieve the right information (access token) from our Portal so we knew the user is login successfully and still in valid session period? OAuth has the redirect (callback) URL provided so we could receive the information, how about JWT?

Hey @ct_yen,

Thank you for providing additional information.

if we have to create a OAuth app per each account, new users can’t access our portal right away once they just sign-up from our portal because we have to manually create an OAuth App and send it to Zoom for review first.

One of the benefits of using OAuth is that users outside of your account can install the app. This means that once published, users would be able to use a single OAuth app instead of one per account as it would need to be without publishing the app. Once that user installed and authorized your app, you would be able to make requests on their behalf.

Regarding the JWT authentication you recommend, if users login on Zoom’s portal, how can we retrieve the right information (access token) from our Portal so we knew the user is login successfully and still in valid session period?

When it comes to JWT, you’re correct in that it wouldn’t allow you to authenticate their session in the same way as OAuth. This is because the JWT token is account-level and doesn’t have a user-level mechanism at this time.

From here, it sounds like it would still be best to have a JWT app for making back-end requests on behalf of the user and potentially a separate published OAuth app that is used for authenticating the users and performing actions while they have a valid session.

Let me know if that helps.

Thanks,
Max