Prevent Meeting to create other orgamization member account

App Marketplace
1

Hey Team,

We have a enterprise plan where we have a multiple users registered inside the single ZOOM Account.

Now, We are making some integration with the ZOOM where all the users (MEMBER ROLE ) need to create their server-to-server OAuth app.

I checked few settings and made the changes and now, all the users (MEMBER ROLE ) are able to create a server-to-server OAuth app.

Now the issue is like

  1. Every member can create their own server-to-server OAuth app.
  2. Now, while creating the meeting via ZOOM API and if the user adds an organization, another member’s email address at that time meeting is created on the organization another member’s email address instead of the user who created the app

Is there a way to restrict creating a meeting to organize other member’s accounts, and should it create a meeting only on the user profile who created a server-to-server Oauth?

I checked with the JWT as well, and it happening the same thing with the JWT as well.

2

Hello @chetanbb

Thank you for letting us know, it depends on the create of the App, you can either create it for just the user who created it or you can create it to be used by everyone on the account to create meetings. Please see more here

https://developers.zoom.us/docs/internal-apps/s2s-oauth/

Regards, Kwaku

3

Hello @kwaku.nyante

Thanks for the reply.

Could you please guide how I prevent the user from creating a meeting to the same organization another member’s account via API?

4

Hello @chetanbb you can limit the access to api related functions using role management please see here: https://support.zoom.us/hc/en-us/articles/115001078646-Using-role-management

Regards, Kwaku

5

Hey @kwaku.nyante

I tried to find that already in this document but didn’t find any way to prevent that from creating an event on the other user’s account.

Do you have anything that you can share and do the thing that I need?

6

Hello @chetanbb I guess I’m not fully understanding how are they creating the event on another users account so that I can possibly see what the resolution is?

Regards, Kwaku

7

These are the steps for creating the events for other user’s accounts.

  1. Admin created a role called Developer and permitted to manage user https://www.loom.com/i/c5adac57581b4d6f98a71736279ac0a5
  2. Admin permitted to create a server-to-server OAuth app based on these settings https://www.loom.com/i/76e282b493fd4401acb9fecb2e0958df
  3. Now we have two members called abc@test.com & xyz@test.com both users are in the same organization.
  4. Both are now logged in to their marketplace accounts and creating their own server-to-server OAuth app.
  5. Both are setting up these https://www.loom.com/i/584c2dd58aed45fd8828291b311090ee scopes for their app.
  6. Now, while creating a meeting via API, they both are using their vice-versa email in the host_id and making a call like POST /users/abc@test.com/meetings
  7. Now, ABC is creating a meeting to XYZ account, and XYZ is creating an ABC user account.

If both people’s server-to-server OAuth app is different, then it should not be allowed to create a meeting to each other user account.

I hope now the issue is clear to you.

8

Hello, So if they are looking to create apps that use only their information why are they building Server to 2 server Apps

Difference from app credentials

  • Zoom account credentials is a new grant type developers can use with the Zoom OAuth Service to facilitate OAuth-authenticated requests without end user involvement. This document describes this grant type and how to use it.
  • App credentials are the client credentials, including the client ID and secret, which Zoom provides to app developers to access the Zoom platform (see step 3 below for details).

So given the fact they want to create meetings that are only created by them why don’t they use the OAuth User level App rather than the Server to server option?

Regards, Kwaku

9

I can’t see all the links and details you are mentioning in the comment

10

Hello @chetanbb please see here: https://developers.zoom.us/docs/internal-apps/#:~:text=Difference%20from%20app,below%20for%20details).

11

Hey @kwaku.nyante

Is there a way I can disable creating an account level app from the marketplace for the member role Loom | Free Screen & Video Recording Software | Loom ?

12

Hey @kwaku.nyante

It would be good if you provide the answer to my above question Prevent Meeting to create other orgamization member account - #11 by chetanbb

One more question, I created an Oauth app with Intend to publish: No

Screenshot 2023-05-02 at 12.15.05 PM
Screenshot 2023-05-02 at 12.15.05 PM1182×282 17.9 KB

Now while authorizing it to show the BETA, Can we remove that text?

Screenshot 2023-05-02 at 12.17.02 PM
Screenshot 2023-05-02 at 12.17.02 PM1292×346 20.1 KB

Looking forward to hearing from you!!

13

Hello @chetanbb there is no way to do that the only option you have is to disable the ability to do create OAuth Apps in total, that’s something I can bring up with our Engineering team to possibly find a better option in the future.

For your second question the only way to remove that text is to Publish your App and complete the review process: https://developers.zoom.us/docs/distribute/

Regards, Kwaku

14

This topic was automatically closed after 30 days. New replies are no longer allowed.