JWT migration for mobile apps

Meeting SDK Android
1

Android and iOS meeting SDKs
Android version: v5.15.3.14929, iOS: v5.15.3.8898

Hi all,

As per the official JWT FAQ page it is documented that:

The JWT app type will be deprecated. We recommend that you create Server-to-Server OAuth or OAuth apps to replace the functionality of a JWT app in your account.

which was used to:

to establish secure server-to-server authentication

It also states:

Q: Who will be impacted by the JWT app type deprecation?
A: Current and new users of the JWT app type.

Per the same documentation it is stated that we can

go to your App Marketplace, go to Manage > Apps on Account > Created Apps. In the dropdown showing OAuth Apps, choose JWT
After doing that we can see that we have only one app using the JWT token (our web and backend integration), while our mobile apps use the SDK app type.

Per migration guide, it states:

The Meeting SDK authorization and Video SDK authorization methods use JWTs to generate the SDK Auth signature. This has no association with the JWT app type.
and it even states that we should use SDK app type in order to complete the migration.

It also states, that if we already have an SDK app type (which we do) and have the Update flag next to it (which we do) that we should:

If you already have an SDK app type, and it has an “Update” flag, click “Update”. This will not break your SDK app’s functionality. It simply adds Zoom User Level OAuth capabilities to your SDK app which is optional for you to use.

Even the official meeting SDK documentation states that JWTs are used and if not passed we should use SDK secret and SDK key to use the SDK.

Since we finished migrating our JWT apps to use server to server, our questions for the mobile meeting SDK are:

  • Should we do anything besides clicking the Update button on the SDK app in order to to add OAuth capabilities to our app?
  • If we do so, and even though it is stated that app won’t break, what will happen with users that are using production app, at this moment, after we update it?
  • Once we enable OAuth capabilities to the app do we need to set up scopes, local tests and other sections in the OAuth SDK app type?
  • Is it smarter to simply create a new meeting SDK app that uses OAuth and distribute that as an update of our mobile app or just "Update"ing the current meeting SDK app?

Looking forward to your answers!
Aleksandar

2

@aleksandar.simic

  • Should we do anything besides clicking the Update button on the SDK app in order to to add OAuth capabilities to our app?

answer: If you are using the JWT token to retrieve data from the REST API previously, you will need to use the OAuth keys instead.

  • If we do so, and even though it is stated that app won’t break, what will happen with users that are using production app, at this moment, after we update it?

answer: It should not break your production app. But do note that the deadline will break your production app if you are still using JWT App Type.

  • Once we enable OAuth capabilities to the app do we need to set up scopes, local tests and other sections in the OAuth SDK app type?

answer: This question might be ambiguous. If you are using OAuth capabilities within Meeting SDK App Type, you just need to set the scope there. You do not need to create another OAuth App Type.

  • Is it smarter to simply create a new meeting SDK app that uses OAuth and distribute that as an update of our mobile app or just "Update"ing the current meeting SDK app?

answer: If you create a new meeting SDK app, you will need to republish this application. While it might be the same application as before, it will have no specific link to the older application.

3

Hi @chunsiong.zoom ,

Thanks for reaching out.

answer: If you are using the JWT token to retrieve data from the REST API previously, you will need to use the OAuth keys instead.

This is a bit confusing answer as it contradicts the documentation which states:

The Meeting SDK authorization and Video SDK authorization methods use JWTs to generate the SDK Auth signature. This has no association with the JWT app type.
and it even states that we should use SDK app type in order to complete the migration.

We are using the SDK Key and SDK Secret only, we do not do anything more than that, we let the Meeting SDK handle rest of the authentication for us. Our patients use the SDK to join a zoom meeting as guests while our providers are authenticated, and we did update our web client to use the OAuth.

So, are you deprecating JWT app type or JWT tokens? Those are two very different things and it is not clear what should be done exactly.

Also, about this one:

answer: It should not break your production app. But do note that the deadline will break your production app if you are still using JWT App Type.

Will it or not? Should not does not really sound assuring.

Thanks

4

Here are the different entities

There are App Types and Protocols.

  • SDK App Type (older version)

    • uses JWT Token to access REST API (this needs to be upgraded to OAuth, if you do not upgrade, it will deprecate in Sep 2023)
    • uses SDK Key and SDK Secret, which are used to sign a JWT Token. This token is for SDK Authentication. This is not deprecating.

  • SDK App Type (newer version)

    • uses OAuth to access REST API. This is not deprecating
    • uses Client ID and Client Secret, which are used to sign a JWT Token. This token is for SDK Authentication. This is not deprecating

  • JWT App Type

    • This is deprecating, it will stop working in Sep. The upgrade path is to use a Server-To-Server OAuth App Type , OAuth App Type or SDK App Type (There is OAuth within SDK App Type).

  • JWT Token (Protocol)

    • This is a protocol for signing tokens. It is a standard which we are using (JWT token) to authenticate Meeting SDK App Type and Video SDK App Type. This is not deprecating.
5

Thanks a lot for clarifying it!

6

@chunsiong.zoom

We’ve successfully created new OAuth Mobile SDKs and we are generating JWT tokens that we use to initialize it (as per sample project).

Since our apps are allowing patients to join to a video call with their doctor, and they are not required to log in but rather log in as guests, we are using only the following logic:

JoinMeetingParams params = new JoinMeetingParams();
params.meetingNo = getMeetingId();
params.displayName = patient.getFullName();
params.password = getMeetingPassword();
meetingService.joinMeetingWithParams(context, params, opts);

We do not use any other functionality of the SDK, we are not sure if the SDK will be using REST API further more. Do we need to fetch ZAK and implement entire OAuth authorization for patients in order to use this functionality? Based on what we’ve read in the documentation it seems that we do not have to do that.

Is that right? Thanks

7

@aleksandar.simic
for participants who are joining a meeting as a guest, do you not need ZAK token to do so

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.