OAuth for server-to-server

Description
I have a server-side application to access some Zoom APIs, which does not have any from-end UI. I am currently using JWT to authorize. I would like to switch to OAuth as it seems more secure compared to exposing my api_secret in JWT.
But OAuth requires a redirect URL, so it requires UI and user-interaction. Is there any way to get around this and do this completely automated through code?

Hey @pnarendra, thanks for posting and using Zoom!

There is, simply activate the OAuth install once. You can use any redirect url, like https://zoom.us.

After install, get the auth code in the query param of the URL, and use it to request an access_token.

Now you can completely automate the process. Save the access_token and refresh_token, and implement logic that refreshes the access_token, and then makes the respective requests.

Does that make sense?

Thanks,
Tommy

1 Like

It does. Thank you @tommy . Though I would like to ask details regarding creating the OAuth credentials. Since my application is not really an app, what information would be appropriate for for Privacy Policy URL, Terms of Use URL, etc.,

1 Like

Hey @pnarendra,

If this is an internal app (only used by your Zoom account/users), it does not need to be published to the Zoom App Marketplace.

You can ignore those fields :slight_smile:

Thanks,
Tommy

Hey @tommy,
If thats the case then how do you create the account-level credentials for OAuth

Thank you for the help

1 Like

Hey @pnarendra,

Simply create an Account Level OAuth app here, with Intent to Publish set to no.

Thanks,
Tommy

Hey @tommy,
That worked! thanks a lot for that!

Is there a way to increase the expiry time for the access token as 1 hr is too small a time period. I was wondering if there is a way to keep the access token for a day or two?

Hey @pnarendra, happy to hear that worked! :slight_smile:

No, the access_token only lasts for 1 hour, however, you could simply refresh the token each time you make a request.

That being said, the expiry setting is the benefit of using JWT, you can set it for any amount of time.

Thanks,
Tommy

@tommy is there a plan to increase the OAuth based access_token expiry time to be more than 1 hour ? it would be great if there is an option to configure the expiry interval with upper bound set?

Also is it like only one JWT app is allowed per organisation? We have one JWT app created and don’t see the marketplace allows to create 2nd JWT app ? is this the case?

Problem with 1 JWT app (JWT Token) is the limited API rate limit.

Regards
Dilip

Hey @Dilip_Reddy_Guda,

There are no plans to increase the OAuth token expiry. You can refresh each time before you make a request if you would like:

Correct, only one JWT App can be created per organization since it has full access to most of the Zoom APIs.

Thanks,
Tommy

@tommy
we had an issue with one of the OAuth app where in there were close to 11K refresh token calls were made in a span of one day (06/26). we would like to know if there any audit logs for this app to understand what was the response from Zoom when API calls were made.

App name : MIM SURF Production

How many tokens were issues for this app on 06/26 ?
were there any error responses while refreshing the token related to this app?

Regards
Dilip

Hey @Dilip_Reddy_Guda,

Did you experience any errors? Can you clarify what the issue is?

Thanks,
Tommy

@tommy
Yes we did run into an issue wherein ServiceNow platform trig erred abnormal number of token refresh requests (around 11K in a single day)
we wanted to know, below details to understand the root cause of the issue (since we don’t have much logging on ServiceNow platform side for oAuth token refresh. Here ServiceNow is configured to refresh the OAuth token at regular intervals of 30 mins.)

Things were working fine until we ran into the issue on 06/26. This caused the service now cripple as there were huge number of API token refresh requests sent to Zoom.

App name : MIM SURF Production

How many tokens were issues for this app on 06/26 ?
were there any error responses while refreshing the token related to this app? to be very specific, was zoom responding with lesser expiry interval for API token refresh which resulted in huge requests on 06/26.

Insights on Zoom app side would help identify the root cause.

Regards
Dilip

Hey @Dilip_Reddy_Guda,

We are looking into our logs and will get back to you as soon as we can. (ZOOM-176069)

Thanks,
Tommy

@tommy
Thanks. would await response from your end.
Let me know if you need any details from my end.

Regards
Dilip

@tommy
Any update on the findings?

Regards
Dilip

Hey @Dilip_Reddy_Guda,

No updates yet, I will let you know once I have one.

Thanks for your patience,
Tommy

Hey @Dilip_Reddy_Guda,

Unfortunately we were not able to look into the issue until now, but the logs have expired on our end. Please let me know if you see this issue again and we will look into it right away.

Thanks,
Tommy