Only allow resources created by an Oauth app to be modified using the app

kamronebrahimi · December 29, 2020, 6:59pm

Description
Say a user authorizes an Oauth app with read and write permissions on Meetings. The Oauth app then creates a meeting on behalf of a user. Is there a way to prevent the user from updating/deleting the Meeting created by the Oauth app unless they do so through the Oauth apps API’s?

Which App Type (OAuth / Chatbot / JWT / Webhook)?
Oauth

Additional context
My Oauth app needs to create meetings for users, I need to store the Meeting Id in a database record and ensure that “Allow participants to join anytime” is always enabled for the meeting. Both of these values can be modified by users via the desktop client or Zoom portal by the user. Is there someway to prevent these resources from being modified unless they are modified by my Oauth app?

MaxM · December 29, 2020, 9:04pm

Hey @kamronebrahimi,

Thank you for reaching out to the Zoom Developer Forum. While there isn’t a method to restrict what they can do with their account, you can use the Meeting Updated Webhook to listen for changes to the meeting and update your database accordingly.

I hope that helps! Let me know if you have any questions.

Thanks,
Max

kamronebrahimi · December 30, 2020, 5:54pm

@MaxM thank you for the information. As a quick follow up question:

If my Oauth relies on the parameter “Allow participants to join anytime” to be disabled, would you recommend listening for meeting update events, upon receiving one validating that the updated meeting was created by my Oauth app (we store the Meeting uuid of created meetings in our database), and simply updating the meeting again to undo the change the user just made? Would something like this pass functional testing (https://marketplace.zoom.us/docs/guides/publishing/app-submission) by the Zoom team? Thank you again for your help!

MaxM · December 31, 2020, 7:16pm

Hey @kamronebrahimi,

Thank you for your question. I reached out to the team that handles app approvals and they mentioned that we don’t have a policy on our marketplace to prevent this but that the documentation for the app would need to include a disclaimer for end-users that the app will automatically revert changes made to meetings created through the OAuth app.

Let me know if that helps.

Thanks,
Max

kamronebrahimi · December 31, 2020, 7:16pm

@MaxM this is very helpful. Thank you for the detailed response.

MaxM · December 31, 2020, 8:52pm

Hey @kamronebrahimi,

I’m glad to hear that answered your questions! If you encounter any further issues or questions, please don’t hesitate to reach out.

Happy New Year!

Thanks,
Max