Zoom Apps Configuration
Our app is running on node.js backend and a combination of VanillaJS/AngularJS/React microfrontends.
Description
Our app is published and is working fine, but currently it only supports browser-based installation. We are trying to add In-Client OAuth support for better user experience. We followed the documentation, and now I’m following the instruction for testing the in-client auth by single user: share the app in meeting, remove the app, accept the app invite in the meeting chat. After that, the following happens:
I see the app Marketplace listing, where I press the Add button;
I see the in-client consent screen, where I press the Allow button;
App’s home screen is rendered. In the client code, I can see that the user’s state is authorized. However I don’t have the user’s Access Token yet, so I suggest the user to authorize the app, similar to the zoomapps-advancedsample-react sample. So I call the authorize SDK method.
In-client consent screen is shown again. User has to allow the access to the scopes once more.
This second consent screen is unexpected: according to documentation, the authorize should be silent unless scopes are changed. And it’s a nuisance to the user to have to provide consent twice.
After that, the auth process can be finished without further issues.
Error?
There is no error message, but the necessity to provide consent twice is unexpected and deteriorates user’s experience.
Question
Is it a bug, or is my in-client auth sequence wrong?
How To Reproduce
Reproduced by enabling In-Client Auth and testing it following the instruction. More details in the Description section above.
Zoom client version: 6.3.6 (56144) on Windows.
Note: for testing in-client auth, I temporarily disabled Guest Mode in the app.
Thank you for posting the Zoom Developer Forum @tkishkin, It looks like you are calling the authorize method. Instead, can you try calling the promptAuthorize method when the user status is authorized?
I’ve just tried calling the await promptAuthorize() method instead of authorize(), but it failed with the following error: zoom-apps-js-sdk.js?v=638705687161800000:135 Uncaught Error: No Permission for this API. [code:80010, reason:disabled_for_installed_apps].
Which in my opinion make sense, as in the documentation it’s recommended to use promptAuthorize() in Guest Mode, i.e. when the app is not added by user (user’s state is unauthenticated or authenticated). In my case the state is already authorized, so authorize() is to be used (I see the same logic in the zoomapps-advancedsample-react sample that you linked).
Thanks for testing this. Could you share the code that handles the call to the authorize method? Also, please show the userContext printed to console at the time the call is made. I’d like to compare your implementation with mine.
I’ve created a simplified version of the Zoom app in a single page to demonstrate the code I use to authorize. You can see it in this gist.
The only dependencies of this page are:
Hi @donte.zoom , as I already mentioned in the community forum, a fix was found thanks to your suggestion. All I had to do was to add under “OAuth Allow Lists” the URL of the page from which the zoomSdk.authorize call was being made. In my case, https://zoom-cross-tenant.staging-linkando.com/zoomapp.
Indeed, the documentation mentiones: "under the OAuth allow list section, add your app’s Home URL". The confusion in my case was due to the fact that my home URL redirects the user further to another subdomain, and only after that the zoomSdk.authorize is called. Maybe it’s worth rewording the documentation slightly to avoid such confusions.
Another adjustment I had to do was to send the current page URL (again, .../zoomapp) as redirect_uri when requesting https://zoom.us/oauth/token from the server. Initially I used to send my main OAuth Redirect URL like in in-browser auth, which led to invalid_grant error. Similar to this issue in another user’s forum post.