@jaron I know exactly what you are going through: I experienced this problem myself back in 2022 (see my explanation here) and also see my July 2023 comment on this thread where I tried to help someone who was experiencing this problem. I never heard back from that person, so I don’t know whether my explanation was helpful or not but I hope it helps you.
The TLDR is this: all modern HTTP clients such as curl
and Microsoft’s .NET http client, for example, have a built-in security feature that prevents forwarding passwords and tokens when following HTTP 307 Temporary redirect
responses AND the redirect URL is on a difference domain. They do this on purpose to avoid leaking passwords and tokens. In the case of Microsoft, I can tell you that their HTTP client used to forward passwords and tokens until 2018. They closed the security gap in their http client sometime in 2018 and all releases since then no longer forward passwords and tokens. The behavior I just described might be desirable from a security stand point, but it conflicts with the way Zoom wants us to download files because they redirect our requests to a different domain.
I’m not super familiar with curl
but I’m pretty sure there’s an option you can specify to authorize the token to be forwarded when following the HTTP 307
redirect.