Invalid scope: meeting:read as system can't support! (4,700)

I’ve been working off of a Zoom OAuth application under my own Zoom account, but as we’re about to submit our application for review, I asked my client to create an OAuth app under his own Zoom account, which we then configured to match my own.

I then adjusted our (Rails) application to use the new keys, but now when I try to OAuth, I get the following error:

Invalid scope: meeting:read as system can't support! (4,700)

I’ve double-checked that the new OAuth app is user-managed and has the meeting:read scope, so I can’t quite make sense of this error message. Any help would be greatly appreciated!

App Info

The public IDs for the two apps:

Old Client ID: 9aAi9nDOSBWDjAvW7e6uRw
New Client ID: s0fCHWtQTyegiWoaLuT6ZA

And here’s our list of scopes:

meeting:read
meeting:write
recording:read
recording:write
user:read
user:write

(… which all show as Saved for the new Zoom OAuth app.)

Hey @brad, thanks for the detailed post.

Where in the OAuth flow is this happening? After Authorizing the App, requesting an access_token, or refreshing an access_token?

Also are you using the local test url or publishable url when getting this error? (I am assuming publishable).

Can you share the request url, headers, and body that is throwing this error so I can try to debug. (leaving out api credentials)

Thanks,
Tommy

Thanks for such a quick reply!

Apologies for not mentioning where I was running into the issue; I’m getting the error when going through the authorization flow, in-browser, before what would normally be the Zoom prompt asking if I want to authorize the app for the given scopes.

Here’s a specific example of a request (in-browser) that’s giving me the error:

https://zoom.us/oauth/authorize?client_id=s0fCHWtQTyegiWoaLuT6ZA&redirect_uri=https%3A%2F%2Fapp.anatomy.one%2Fusers%2Fauth%2Fzoom%2Fcallback&response_type=code&scope=meeting%3Aread%2Cmeeting%3Awrite%2Crecording%3Aread%2Crecording%3Awrite%2Cuser%3Aread%2Cuser%3Awrite&state=0b61d22af4ee5fc9c5365efab2e9e661fd55e64c32d4f5d3

Which, URI decoded, is:

https://zoom.us/oauth/authorize?client_id=s0fCHWtQTyegiWoaLuT6ZA&redirect_uri=https://app.anatomy.one/users/auth/zoom/callback&response_type=code&scope=meeting:read,meeting:write,recording:read,recording:write,user:read,user:write&state=0b61d22af4ee5fc9c5365efab2e9e661fd55e64c32d4f5d3

And it’s just a GET from the browser, so I imagine the headers aren’t of much interest, but here’s what I see in the Network tab in Firefox, just in case:

Accept                     :  text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8
Accept-Encoding            :  gzip, deflate, br
Accept-Language            :  en-US,en;q=0.5
Cache-Control              :  no-cache
Connection                 :  keep-alive
Cookie                     :  cred=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; __zlcmid=XXXXXXXXXXXXXX
Host                       :  zoom.us
Pragma                     :  no-cache
Upgrade-Insecure-Requests  :  1
User-Agent                 :  Mozilla/5.0 (X11; Ubuntu; Linu…) Gecko/20100101 Firefox/69.0

And to your publishable URL question: I’m using OmniAuth inside of Rails to handle OAuth, so it’s responsible for building / redirecting to this URL. This was functioning just fine before though, and I’m pretty sure the keys are the only thing that have changed. I guess that and the fact that the OAuth app is now not tied to my Zoom account (which I’m attempting to authorize with), but even then, my client (who does own the new app) is getting the same error code (4,700), just with a slightly different message:

Empty scope (either the client or the user is not allowed the requested scopes) (4,700)

Thanks so much for your help! Please let me know if I can provide any more detail!

So my client generated a publishable URL and I noticed the only difference was the scope param in the OmniAuth URL, so I removed the call in my config that passed the scopes into OmniAuth, and it worked!

The reason I was doing that in the first place was that another OAuth provider (I forget who, but I believe it was Google) was giving me trouble if I didn’t specify them on authorization, so I just added them explicitly to all my OAuth provider configs to avoid issues in the future. (… the irony is not lost on me.)

I’m really not sure why it was working before and just started breaking now though. And honestly, I’d prefer to uniformly pass scopes in for all OAuth providers, so if you happen to notice the issue (maybe it should be space-separated instead of comma-?), I’d appreciate you letting me know.

Either way, thanks so much for your help! Have a good one!

Hey @brad, thanks for all the details!

Glad your issue was resolved Yes with Zoom OAuth you do not have to add the scopes to the URL, because they are configured in the App Marketplace Dashboard.

You can however add them, but they must be separated by + instead of ,.

https://zoom.us/oauth/authorize?client_id=s0fCHWtQTyegiWoaLuT6ZA&redirect_uri=https://app.anatomy.one/users/auth/zoom/callback&response_type=code&scope=meeting:read+meeting:write+recording:read+recording:write+user:read+user:write&state=0b61d22af4ee5fc9c5365efab2e9e661fd55e64c32d4f5d3

Check out the scope query param details here in the table:

Thanks,
Tommy