OAuth refresh token process change? Was working, now not

kmwill23 · June 8, 2020, 4:26pm

Description
The token refresh process, working a couple weeks ago, seems to not work now.

https://zoom.us/oauth/token?grant_type=refresh_token&refresh_token=eyJhbGciOiJIUzUxMiIsInYiOiIyLjAiLCJraWQiOiI3MzBiNzQxMC1jODJjLTQ4N2YtYTMyMS03MzcxYzdjZTgxYzMifQ.eyJ2ZXIiOiI2IiwiY2xpZW50SWQiOiJMZnVYSUp5VVRqeXo4Vlk1MFZLcDBRIiwiY29kZSI6ImdkUTJlakZaeExfajROUGVtX01UbWlMZ0FwS1g5V1FGZyIsImlzcyI6InVybjp6b29tOmNvbm5lY3Q6Y2xpZW50aWQ6TGZ1WElKeVVUanl6OFZZNTBWS3AwUSIsImF1dGhlbnRpY2F0aW9uSWQiOiI5YzFlNDk5MTc1ZWYwOWMwZTZmZDIwYzBjZmNhNTQyOSIsInVzZXJJZCI6Imo0TlBlbV9NVG1pTGdBcEtYOVdRRmciLCJncm91cE51bWJlciI6MCwiYXVkIjoiaHR0cHM6Ly9vYXV0aC56b29tLnVzIiwiYWNjb3VudElkIjoiUDRmT3ptdlVUY2l6ZjVaSFEtT2F6QSIsIm5iZiI6MTU5MTM5NjI1OCwiZXhwIjoyMDY0NDM2MjU4LCJ0b2tlblR5cGUiOiJyZWZyZXNoX3Rva2VuIiwiaWF0IjoxNTkxMzk2MjU4LCJqdGkiOiJhZTllMWMyZC1mYmQ1LTRmMTYtYTM2YS02NDM4MjQzMjk3NDYiLCJ0b2xlcmFuY2VJZCI6MH0.rlgLjGxguhNal2zRsFUtsWf4R5cqwg_yHzZINGp83xHEoASK8UzrBjfwFvV7HynN8w5-9rkMZFwjBF6wywunjQ

Error
401 - Unauthorized
“{“reason”:“Invalid Token!”,“error”:“invalid_request”}”

Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth

Which Endpoint/s?
https://zoom.us/oauth/token

How To Reproduce (If applicable)
May not be needed. I expect somewhere somehow I am doing something wrong, even if it worked two weeks ago.

Screenshots (If applicable)
N/A

Additional context
I am POSTing, the Authorization header is in place. The Auth header is the exact same for a user’s initial Auth, and that works perfect. The refresh_token is the refresh_token provided at initial auth.

michael.harrington · June 8, 2020, 8:38pm

Hi @kmwill23 - a refresh token is meant to only be used once to request a new token. Are you storing then updating the refresh token that is received from the refreshed access token?

kmwill23 · June 8, 2020, 8:52pm

This failure is happening the very time I am using the refresh token. My normal process is to use that fresh token once, and replace it with the new one from this call.

kmwill23 · June 8, 2020, 9:43pm

What happens if you attempt to use the refresh_token after the active token has expired? I am doing some debugging now, and the call is successful if I use the refresh_token within the 3599 second expiry time.

kmwill23 · June 8, 2020, 10:28pm

Likely problem discovered!

We have three developers who are using this account for testing purposes.

Dev A authenticates
Dev B authenticates

I believe at this point Dev A’s authentication and refresh_token are no longer valid. Sound about right?

So now I have to find a way to allow multiple Devs onto one unpublished API.

tommy · June 12, 2020, 6:07pm

Hey @kmwill23,

Correct. If a user reauthorizes the app, or say “Logs in with Zoom” to your app on a different device, it will generate new tokens, invalidating the old ones.

Few ways you can handle this, update the tokens in your DB so it shares the same tokens between the two logins, or show a message to the other user saying they need to login with Zoom again.

Thanks,
Tommy