Issues with authorization grant process for OAuth app

Description
I have an OAuth connector set up on a web-server that reliably creates meetings for a handful of colleague’s zoom users (via the Zoom API) where I was previously able to complete authorization grants and establish OAuth tokens. The last time we successfully did this was June 22nd, but now the authorization grant process no longer works, although the established OAuth tokens still work perfectly. I don’t know whether this is due to tightened security or publication status of my connector. The connector is in an unpublished state and has both development and production client IDs and secrets. The user the connector was created under is not a full developer, to the best of my knowledge.

I don’t believe it’s appropriate to expose the app to the entire world, but I do need to allow more colleagues in my department to complete authorization grants.

Any thoughts on how to pursue this?

Error
“You cannot authorize the app / This app cannot be installed outside of the developer’s account.”
(prior to redirecting back to my webserver)

Which App Type (OAuth / Chatbot / JWT / Webhook)?
This is an OAuth app, associated with a user without full developer roles, ttbomk.

Which Endpoint/s?
zoom.us/oauth/authorize

How To Reproduce (If applicable)
Steps to reproduce the behavior:

  1. the standard grant authorization request
https://zoom.us/oauth/authorize?response_type=code&client_id=7lstjK9NTyett_oeXtFiEQ&redirect_uri=https://yourapp.com
  1. sign in to grant authorization,
  2. see error page with text as above

Hey @rnahf,

Are you trying to have a Zoom user external to your own Zoom account install the app? If so, you will need to publish it to the app marketplace.

I am wondering if you were using the shareable beta url before it expired?

Thanks,
Tommy

The zoom user is part of the same organization, and I confirmed with our Zoom admin that my user with the connector has some sort of developer role. There was some re-organization of the account, and this user was moved out of a sub-account in the past month with all of the others. From the account admin: “Good call, I’ve moved that account into a developer-enabled role now as it had been placed into the Member role during migration”.

I just tried testing the authorization grant process again, and it still fails - even when I do it for myself.

I wondered about the shareable beta url mechanism myself. I don’t see any indication on marketplace.zoom.us that we did, but not sure if there’s a good indicator for whether we made a choice or not.

Is there a specific developer role that’s needed for this connector to work? And what exactly does “outside of the account” mean?

Hey @rnahf,

Ah interesting. Did the account that the app was created get transferred or merged into another account? If so we will have to fix the app on our end. This is a known edge case.

What is the name of your app?

Thanks,
Tommy

Glad this falls under a known edge-case! :slight_smile:
It’s an OAuth app called “AWCIM Web App Connector” and is now part of the arizona.zoom.us domain. (the user is azcim-webapp)

When I look at the /user#/ endpoint I see the users under the account that we would want to receive authorization grants from, so I don’t think we need to publish after all.

Many thanks for investigating.

Rob

Hey @rnahf,

You can fix this by creating a new OAuth app. Otherwise I am happy to fix the existing app for you if you would like?

Thanks,
Tommy

Hi Tommy,
I’ll try seeing how it goes with a new app, and let you know if I encounter any problems.
Thanks,
Rob

Hi again @tommy,

Before getting started on the new connector, can you confirm one way or another whether meetings set up through the old connector would be still valid once the new connector was in place? And also if we need to deactivate the old connector for the new one to function properly. (The old connection still works for existing token refreshes), so we’d want to be able to fall back to it if the new connector doesn’t fix the issue.

Thanks,
Rob

Hey @rnahf,

Valid as in still scheduled and will work? Yes the meetings will not be affected.

You don’t need to deactivate or delete the old app, creating a new OAuth app will not affect the other OAuth app.

Thanks,
Tommy

Perfect. thank you very much!

1 Like

You are welcome! :slight_smile:

-Tommy

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.