"Invalid Token!" error message when trying to refresh oauth token

Hope this helps others: different environments will invalidate the others’ refresh tokens. For example,

  1. user on dev server does oAuth workflow.
  2. user on staging server does oAuth with same account
  3. dev server user tries to use access token. it fails, so it tries refresh. Invalid token error.
  4. dev server now broken because staging server got the most recent access & refresh tokens.
  5. dev server re-authorizes. refreshes work, but now staging server is broken.
    …the cycle continues.

Take heart knowing on production this won’t happen because your users won’t be running oAuth transactions on your dev servers.

Thanks for sharing your experience with our community @viddd :slight_smile:

Hi @will.zoom and @tommy - I had this problem due to using the same zoom account to test using two different of my own system’s user accounts. I.e. when user 2 linked the same zoom account as user 1, user 1 would still appear linked but the tokens would not work due to the problem described above. I wonder, is there any way to identify that two sets of auth tokens come from the same zoom account, so that I can “unlink” the first user when a second links the same zoom account, without requesting access to the “user” scope? At the moment I am just asking for the ability to create meetings, and would rather keep it that way rather than risk scaring users with demands for access to their full zoom profile.

Hey @budgetcriticism,

Good question. One option could be to grab the access token when a user installs the app. You can JWT decode this to determine which user/account it belongs to. You can see my post here for more details on this approach (different topic, but decoding the access token is still relevant):

Let me know if this helps,
Will

Hi @will.zoom. Thank you very much for your reply. I’d actually already seen a post about jwt-decoding the auth token, and extracting the user ID, but I wasn’t sure which claim / key in the JWT to use. I have since decided it must be the “uid” given that I can see the same string used to represent me elsewhere in the zoom system, but seeing as it’s not documented anywhere I am not sure - also I noticed today @tommy in a different post explaining that seeing as this is an unofficial API it can unexpectedly change. So, I’ll need to think about how to handle that! I’ll probably just have to set-up monitoring to catch a change to the data in the token and respond appropriately and / or respond to failing API requests by retrying once and then un-linking the user’s account and sending an apologetic email (or something). Unless you can correct me about the API being unstable? It would be great, one-day, if you could put that data in the token on an official basis, so we could rely on it properly.

Hey @budgetcriticism,

Thank you for the feedback, and happy to clarify. Just to make sure we’re on the same page, when you talk about an API that could change in the future, are you referring to the method of decoding a JWT token or a specific endpoint? Our OAuth endpoint should be pretty stable.

Let me know!
Will

Hi @will.zoom - sorry for using unclear language. I’m referring to the method of using jwt-decode to extract the user ID from the oauth access token.

Hi @budgetcriticism,

Thanks for clarifying—we don’t have any plans to change how OAuth access tokens are encoded. That said, this is a workaround of sorts, and can appreciate the desire to have a more efficient way of handling this. I’m happy to share this feedback internally.

Thanks,
Will

Thanks, @will.zoom . It would just be useful to know this is reliable in the long-term. But, also good to know you don’t plan to change it.

Hi @budgetcriticism,

You can keep an eye on our Changelog to keep track of any changes to Zoom APIs, but correct—no plans to change this.

Thanks,
Will

Brilliant, thank you for that. I have subscribed (and noticed the RSS feeds, of which I approve). Would you be able to confirm please that the “uid” key is the one I need to detect that two oauth tokens were generated using the same zoom login?

Hey @budgetcriticism,

The UID refers to the User ID of the User who installed the app, and the AUD refers to the account of the user who installed the app. Does this help?

Thanks,
Will

1 Like

Yes, that’s helpful. Thank you.

No problem, glad I could help @budgetcriticism!

Best,
Will