Question regarding OAuth authorization and subsequent calls

I am creating an OAuth2 app to allow our customer to grant access to their Zoom account for creating meetings. Authorization is done at the Account level.

When the authorization code is returned via the Redirect page, can that token code be stored and used on all calls indefinitely?

My initial tests seem to indicate that the user has to grant access every time a call is made.

My end goal is this:

  1. User logs into my application and clicks a button to Authorize the integration.
  2. User is taken to the Zoom authorization page and authorizes.
  3. User is sent to the Redirect URL with the access code.
  4. Access code is stored locally and used to call the server forever.
  5. The next time the user logs into my application, it knows authorization has already been granted and the stored code is used to make zoom calls.

I don’t want my user to have to authorize access every time they log into my application. Is that possible?

Additional testing shows that Authorization codes are one-time use. Is this true?

Here is how I tested this with my developer account:

  1. Called key)&redirect_uri=https://localhost:44357/ZoomHandler.ashx

  2. Got the authorization code

  3. In Postman, called from step 2)&grant_type=authorization_code&redirect_uri=https://localhost:44357/ZoomHandler.ashx

  4. Got back response body with access_token and refresh_token, etc.

  5. Repeated step 3.

  6. Got 400 Bad Request with JSON { "reason": "Invalid authorization code", "error": "invalid_grant" }

My understanding is the authorization code is one-use. You need to exchange that for an access token for something that can be reused; for details, see “Step 2: Request Access Token” in OAuth with Zoom.

While you’re there, note that the intention is to eventually make Proof Key for Code Exchange (PKCE) a requirement, but it is currently on hold due to interoperability concerns.


So if understand correctly, once you have the Access Token, it can be used until the user revoke’s that application’s access?

The only requirement being that the token expires after one hour so it has to be renewed?

I want my user to be able to approve the integration once and then it’s good until they revoke.

That’s my understanding; note that refresh tokens expire in 15 years according to “Refreshing an Access Token” in OAuth with Zoom.

Ah, I missed the part about it being valid for 15 years. Makes complete sense now.

Probably better terminology is needed. Refresh, to me, means that it has to be renewed on every call.

Thanks for the help, I think I can continue now :smile:

Thanks for sharing your insight @MultiplayerSession! Your contributions are appreciated.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.