In-client auth - Invalid authorization code

Zoom Apps Configuration
React with Backend Service
ZoomSdk version 16.5 installed via npm GitHub - zoom/appssdk: Build Apps that run in the Zoom Client

I am working on implementing in-client auth and am able to successfully receive a response and code from the zoomSdk.authorize and zoomSdk.addEventListener(“onAuthorized”, callback) methods. However, when using the code from the onAuthorized callback to request an access token, I’m receiving an error from the Zoom token endpoint.

When attempting to fetch a token I get the following response:

{'reason': 'Invalid authorization code jH8sFKaViM_RSTLNTS-Tk-_mCVkEdZpAQ', 'error': 'invalid_grant’}

The code above is the one received in the onAuthorize callback.

Troubleshooting Routes
I’ve already attempted generating the PKCE challenge and verifier manually to rule out issues with the code_verifier being sent to Zoom’s /oauth/token url

How To Reproduce
I’m using a development app to test in-client auth and am following the work-around described in zoom docs to test.

In the FE - authorize and handle onAuthorized callback

zoomSdk.authorize({ codeChallenge })
zoomSdk.sendEventListener("onAuthorized", getTokenViaBackend)

In the BE - Get the code and code_verifier from the FE request and make a call to the zoom token endpoint, which results in the error message above.

params = {
  grant_type: "authorization_code",
  redirect_uri: redirect_uri,
  "code": code,
  "code_verifier": code_verifier
headers={"Content-Type": "application/x-www-form-urlencoded"}),

Any help would be appreciated. Thanks!

Welp. It appears like something is amiss with the developer docs.

The docs say that SHA256 is the only challenge method that’s supported. However, when I generated using PLAIN (no sha256 encoding, the challenge and the verifier are the same string), I was able to successfully complete the auth flow and get an auth token.

The question I have now is, is it okay/preferred to leave my app using the plain pkce method? Or does something need to be updated on Zoom’s side?

@brad.bicknell My apologies for the delay getting back to you. You should indeed be able to use SHA256 encoding for your challenge method.

Are you seeing this same behavior outside of the client or only when using in-client authorization? With in-client authorization, you should be using the authorize() function which doesn’t have a challenge method parameter. More information here.

I’ll note that the authorization code does expire after 10 minute which can produce this error as well.

Hi @MaxM,

We are only using the PCKE method in in-client authorization. I’m not sure what you mean when you say that the authorize() function doesn’t have a challenge method parameter. The api docs have it listed as a required parameter Zoom Apps JS SDK reference codeChallenge as well as the example you linked to:

Please let me know what additional information I can provide. For now, I’m unblocked using the “plain” method to generate a challenge and verifier, but it seems like I should be able to use the SHA256 method to get an encrypted verifier.


See here: Unable to exchange token during in-client oauth flow (and other issues) - #10 by ash.provost

1 Like