Format Your New Topic as Follows:
API Endpoint(s) and/or Zoom API Event(s)
PKCE OAuth
Description
We’re switching from server-to-server to PKCE OAuth as advised during a period security review by Zoom. We’re able to use PKCE OAuth, but if two devices sign in to the same client ID, the second device invalidates the first device’s access token.
We have two different client IDs, one for our Mac app and one for our iOS app. Our iOS app registration is working with multiple concurrent device sign ins, but our Mac app registration isn’t.
Is there some sort of setting on Zoom’s end that controls which apps are allowed to have multiple concurrent access tokens? Is there any documentation describing how many concurrent access tokens are allowed? We don’t want to rely on multiple access tokens and then find out there’s a limit that causes problems for users with multiple devices.
According to Multiple access Token support available for server-to-server apps, server-to-server auth now supports multiple access tokens, so I’d expect PKCE OAuth to support the same.
We only have 30 days to remediate this according to the Zoom security review, so any assistance would be appreciated.
How To Reproduce
Steps to reproduce the behavior:
- Sign in with PKCE OAuth using our client ID for our iOS app on one device
- Sign in with PKCE OAuth using our client ID for our iOS app on a second device
- Both OAuth access tokens stay valid
- Sign in with PKCE OAuth using our client ID for our Mac app on one Mac
- Sign in with PKCE OAuth using our client ID for our Mac app on a second Mac
- The first access token is invalidated
Similar older reports, but for server-to-server auth: