OAuth redirect and JWT support


#1

Hi.

I’m working on an integration with Zoom API at the moment. When I checked the API document through the latest site (https://devdocs.zoom.us) some days ago, I noticed that there was a message about JWT is going away and will not be supported in 2019. Now that message has gone. So I wonder what is the deal with it? I believe the token that generated from the OAuth is using JWT format, so if I still use JWT library to generate the access token, would that still work in the future? Or should I switch to implement OAuth and not have to worry about that? The JWT library seems easy to integrate compared to the OAuth solution so I wonder if it will be supported in the future or not.

Another question related to OAuth: Based on the documentation, first you would need to call the authorize endpoint to get authorization code. When I tried that, the response I got back is the sign in page with the redirect link to the authorize link. My understanding is that once you call the authorize endpoint, Zoom will trigger a callback on my end and I will get the code within that handler. But in order to do that, initially I would have to sign in and allow my website to interact with Zoom OAuth and then subsequent requests has to sign in for Zoom to trigger the callback. I want to do all of them without any human input. So is there a way to grant permission initially using the code and also how do I put my sign in credential in order to bypass the sign in when calling authorize endpoint?


#2
  1. We will not be sunsetting JWT for the foreseeable future. We had plans to do so but no longer will until we have a better server-to-server solution for OAuth. 

  2. This usually happens when you are using a clientID and Secret that does not come from the marketplace (marketplace.zoom.us). Please make sure you are not using the credentials from our dev site (developer.zoom.us). We will be making this more clear soon. Apologies if this is confusing. 


#3

Thanks for confirming about the JWT issue.

For the OAuth, I definitely used the one from developer.zoom.us. My understanding for OAuth is that a user would have to login into their zoom account and authorize the use of OAuth. However, I am only using the API to do all the works and will not expose any login information to the users as I will manage the flow between the users and Zoom service through the system backend. So is there a better way to deal with the situation? For example, the server will use the master account that has the API plan subscription and authorize with OAuth to get access token and refresh token, and then use them to execute the API commands based on the user requirements. The user would only need to tell the system which operation it needs to comply and they do not need to login into zoom since I will only create customer user account instead.


#4

“For the OAuth, I definitely used the one from developer.zoom.us.” This will not work. Please sign up at marketplace.zoom.us and get a clientID and secret from there. 

If this is server-to-server then just us JWT.