Oauth malformed redirect_url

Hi there!

I am trying to follow the instructions in GitHub - zoom/zoomapps-customlayout-js: A simple podcaster Zoom App to demonstrate Immersive Mode through our Layers API for creating a Zoom app. After I run it successfully and then try to add my app, I get redirected to the following url https://6a97-96-84-247-65.ngrok.io/auth?code=

This url doesn’t have a state param, and it results in the following error

Error 400
state must be a string

Any ideas what I could try here? I have no changes in my repo from what’s hosted on github.

I’ve tried this both with a “Zoom App” and “Oauth App” through here App Marketplace

Hi @JuanCaicedo , the project you are using will require you to provide a “state” parameter in OAuth authorization requests. Because of this, the authorization request needs to start with the app itself.

There is a section in the README that describes how to install/authorize this app https://github.com/zoom/zoomapps-customlayout-js#usage

More information on OAuth 2.0 “state” parameter https://auth0.com/docs/secure/attack-protection/state-parameters

Hi Daniel! Thanks for the response :grinning: I’ve followed the instructions in that readme and that’s how I end up in this state.

First I start out at my “Homepage”.

This takes me to my homepages /install, which then takes me to the Zoom app

The error message at this point (which is supported by my server logs) suggests that the Zoom app made a request to /auth, but did not send a code along with the request.

I can instead try to add the app through the add link (or button) provided in the Zoom market place

If I do that then I’m sent to /auth?code=\<code\>, but with no state parameter.

the project you are using will require you to provide a “state” parameter in OAuth authorization requests. Because of this, the authorization request needs to start with the app itself.

I don’t understand how I would provide a state parameter here. My understanding is that Zoom would send this parameter as part of putting together the redirect_url. I don’t see where in the flow I have an interaction with this at all :sweat_smile:

@JuanCaicedo apologies for the delay getting back to you. Is this still an issue? The SDK should add the state parameter for you when you click the install link. Let me know if that’s not the case.

Has this problem been resolved?

I’ve built the sample Zoom App by following the webinar and the README here:

I’m having the same problem as Juan. Running the vanilla sample app.
I don’t understand why the Zoom SDK backend is not providing the state parameter.

Max, or anyone else at Zoom, can you help here. I couldn’t find any relevant documentation for the zoom app auth workflow, so the sample app is the best reference, only when it works though.

Is the sample code broken?!


@michalmmm It looks the Zoom Marketplace install button still doesn’t include the state parameter. I’ll bring this up again at our next meeting to get traction on this.

In the meantime, you can use the install link provided when opening one of the Sample Apps in your browser. Alternatively, you can create your own button that generates the state.

Let me know if that helps.

I also tried setting up the zoomapps-sample-js app and get the state variable error. I tried what @MaxM suggested and used the link in the browser but then i get the invalid state parameter state error.
I believe the state and verifier set in the session are not getting persisted.
I dont think the sample app is in a working state.

Is there any progress on this @MaxM ?
You suggested I can create my own button that generates the state. I’m not sure this solves our problem. It is an OAuth style workflow and that value and the callback have to come from Zoom servers which is black box to us devs. That’s the hole purpose of secure authentication.
Is there a good documentation of that auth workflow somewhere or do we have to rely on reverse-engineering sample code which doesn’t work?
I must be missing something here, I just don’t know what it is. Does anyone manage to get that sample code working? Recent webinar instructions are the same, argh.

If I sound bitter and frustrated, it’s good, because that’s how I feel.

Let me know how you guys are doing on your end. Looks like @blessanm86 reported the same problem just 8 hours ago, so no progress?


@michalmmm I got it working eventually. Boy I wish I saw this post earlier. I was confused between zoom app and oauth app.

I tried to dumb down the sample app README.md to a step by step process. Might help you out. Here is a link to my fork.

1 Like

Thank you, @blessanm86 .

Thanks to you, I got it working finally. I have no idea how you discovered it, but initiating the install process via /install link rather than the ‘Add’ button in the ‘Activation’ panel does the trick.