I am creating an OAuth2 app to allow our customer to grant access to their Zoom account for creating meetings. Authorization is done at the Account level.
When the authorization code is returned via the Redirect page, can that token code be stored and used on all calls indefinitely?
My initial tests seem to indicate that the user has to grant access every time a call is made.
My end goal is this:
User logs into my application and clicks a button to Authorize the integration.
User is taken to the Zoom authorization page and authorizes.
User is sent to the Redirect URL with the access code.
Access code is stored locally and used to call the server forever.
The next time the user logs into my application, it knows authorization has already been granted and the stored code is used to make zoom calls.
I don’t want my user to have to authorize access every time they log into my application. Is that possible?
In Postman, called https://zoom.us/oauth/token?code=(code from step 2)&grant_type=authorization_code&redirect_uri=https://localhost:44357/ZoomHandler.ashx
Got back response body with access_token and refresh_token, etc.
Repeated step 3.
Got 400 Bad Request with JSON { "reason": "Invalid authorization code", "error": "invalid_grant" }
My understanding is the authorization code is one-use. You need to exchange that for an access token for something that can be reused; for details, see “Step 2: Request Access Token” in OAuth with Zoom.
While you’re there, note that the intention is to eventually make Proof Key for Code Exchange (PKCE) a requirement, but it is currently on hold due to interoperability concerns.
