Description
Hello Zoom Team,
We are looking forward to add Zoom integration using either ZOOM iOS SDK or Rest API.
Since ZOOM doesn’t support BitCode, the the only option for us is OAuth with REST API it seems.
But even with OAuth+ Rest API approach, I face two challenges now:
ZOOM doesn’t support Custom URI scheme.
But I think can resolve this with a actual server redirect endpoint which does HTTP 301 redirect to my custom URL scheme. (Do you recommend Universal links over this approach ?)
ZOOM OAuth require client secret to get/refresh token from Zoom.
What is the ZOOM recommended Non-SDK approach for ZOOM integration in iOS. (As per my understanding JWT based authentication doesn’t require user authentication and it is more like a account level authentication). Thanks for any help in advance.
Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth
If you are wanting to call the Zoom API for your Account only and not any external accounts, JWT Tokens are the best way to do this since it does not require user interaction.
Thank you Tommy for the recommendation.
But we would like to integrate Zoom with iOS apps for all the zoom account users, not only for our internal account.
As you recommended, we are already passing User State in redirect URI.
Custom URL scheme would be something like “myapp://callback”
This app specific URL is used to make sure Zoom redirect to our iOS app once it complete the authorisation.Redirect URL for OAuth field in zoom doesn’t allow us to specify the iOS registered URL scheme. It throws “Wrong URL format” error in OAuth app registration portal. However this is no more a problem as we have a https server URL used as OAuth redirect URI and server will call our app’s custom URL.
Our main concern is related to Security.Since we integrate Zoom OAuth with iOS app, the client secret has to reside in application and it is not a recommenced way it seems. Zoom documentation suggest to set ClientID:ClientSecret in Authorisation header while requesting token.
The Client Secret and request to get an access token should not be made on the frontend. After landing on the redirect url, you should send the code in the query param to your backend server to make the get access token request, and then send the access token to your frontend in your session or however you want to use it. The Client Secret should never touch your frontend application.
