OAuth Access & refresh token questions

Description
Just a couple of simple questions:

  1. I have Webhooks/Event subscription enabled. What happens if the AccessToken expires but my RefreshToken is valid, will I still receive Webhooks? I ask this because I only refresh my access token on demand when calling the API.

  2. While testing, I have been noticing that my refresh token suddenly stops working. I suspect this is happening when the same user logs in on the browser on different machines… So my question is, under what circumstances is the refresh token revoked, if never, then why do I suddenly start getting 401’s when using my refresh token?

Any further information on access tokens would be beneficial.

Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth

Thank you.

Hey @hunter.steele2,

Yes, the webhooks will still send! Refreshing your token on demand is the suggested flow so you are good! :slight_smile:

Hey @hunter.steele2,

Yes, if a user logins in on a different device, the OAuth flow basically restarts, invalidating the current OAuth access and refresh tokens you have stored. You will need to get the access_token again upon new authorization and update your save tokens with the new tokens.

Thanks,
Tommy

@tommy Question on the comment “Yes, if a user logins in on a different device,” what defines device? If simple OAuth is used, how does it even know what device it is? Not using Webhooks/Event subscriptions so maybe that comment doesn’t apply.

We’ve gotten a few 401s trying to refresh tokens so I’m poking around looking for answers. I know if we failed to save a prior refresh token that will happen but I haven’t found any clues that we are losing a refresh token.

-Ken

Hey @kkoellner,

Basically if a user that has already authorized your app, and you have received their tokens, if they authorize again, by going to the install url, then you will receive new tokens, invalidating the prior ones.

So your app would need to handle that flow, updating the tokens on a new install for the same user.

Let me know if that helps! :slight_smile:

Thanks,
Tommy

It turns out that one of our admins had configured multiple instances of our app against the same Zoom app. Each instance of our app has a separate database. So a User auths in instance A of our app and everything is fine. Then the same user auths in instance B of our app. That also works fine but that gets tokens for the same user and zoom app and stores them in database B. Then later they try to use instance A again, that gets the old tokens out of database A and when they try to refresh, the error occurs.

-Ken

1 Like

Hey @kkoellner,

Glad you were able to figure out the issue! :slight_smile:

Thanks,
Tommy