We have a enterprise plan where we have a multiple users registered inside the single ZOOM Account.
Now, We are making some integration with the ZOOM where all the users (MEMBER ROLE ) need to create their server-to-server OAuth app.
I checked few settings and made the changes and now, all the users (MEMBER ROLE ) are able to create a server-to-server OAuth app.
Now the issue is like
Every member can create their own server-to-server OAuth app.
Now, while creating the meeting via ZOOM API and if the user adds an organization, another member’s email address at that time meeting is created on the organization another member’s email address instead of the user who created the app
Is there a way to restrict creating a meeting to organize other member’s accounts, and should it create a meeting only on the user profile who created a server-to-server Oauth?
I checked with the JWT as well, and it happening the same thing with the JWT as well.
Thank you for letting us know, it depends on the create of the App, you can either create it for just the user who created it or you can create it to be used by everyone on the account to create meetings. Please see more here
Hello @chetanbb I guess I’m not fully understanding how are they creating the event on another users account so that I can possibly see what the resolution is?
These are the steps for creating the events for other user’s accounts.
Admin created a role called Developer and permitted to manage user https://www.loom.com/i/c5adac57581b4d6f98a71736279ac0a5
Admin permitted to create a server-to-server OAuth app based on these settings https://www.loom.com/i/76e282b493fd4401acb9fecb2e0958df
Now we have two members called abc@test.com & xyz@test.com both users are in the same organization.
Both are now logged in to their marketplace accounts and creating their own server-to-server OAuth app.
Both are setting up these https://www.loom.com/i/584c2dd58aed45fd8828291b311090ee scopes for their app.
Now, while creating a meeting via API, they both are using their vice-versa email in the host_id and making a call like POST /users/abc@test.com/meetings
Now, ABC is creating a meeting to XYZ account, and XYZ is creating an ABC user account.
If both people’s server-to-server OAuth app is different, then it should not be allowed to create a meeting to each other user account.
Hello, So if they are looking to create apps that use only their information why are they building Server to 2 server Apps
Difference from app credentials
Zoom account credentials is a new grant type developers can use with the Zoom OAuth Service to facilitate OAuth-authenticated requests without end user involvement. This document describes this grant type and how to use it.
App credentials are the client credentials, including the client ID and secret, which Zoom provides to app developers to access the Zoom platform (see step 3 below for details).
So given the fact they want to create meetings that are only created by them why don’t they use the OAuth User level App rather than the Server to server option?
Hello @chetanbb there is no way to do that the only option you have is to disable the ability to do create OAuth Apps in total, that’s something I can bring up with our Engineering team to possibly find a better option in the future.