We are currently building a Zoom-Marketplace-App.
App-Type: OAuth, user-based
We are manly utilizing the webinar and meeting API-Endpoints and Events.
However we are faceing some structural issues with the Events.
For example we want to start an automation in our Software if a registration happens in Zoom.
User A creates a Webinar in Zoom and setups the App on the marketplace.
We know then some user-info like account_id, user_id and some metadata.
If we now receive a Webhook-Event from Zoom for a registration, we just get the account_id and the id of the webinar (and some more stuff). How are we supposed to make sure we can handle this event for user A? It might be that this webinar is created by user B of the same zoom account and user A should not have access to it. What is the best practice here?
Of course we might call the “get webinar”-endpoint with user A and on error we discard the event.
But to call the enpoint to guess the access and provoking 401 responses seems the bad way for me (by design and also performance). And on a multi tenant saas all the caching and mapping what needs to be done would be pure mess.
Wouldn’t make it sense to include the ID of the user in the events which triggered it or any other token which is unique to the oauth connection or such? In my view the current design encourages apps to leak data to users which they should not have access to.