Description
We cannot use /oauth/authorize+/oauth/token to re-authorize our Zoom app (called Bookwhen) when it’s already installed: instead we are told “Redirect URI mismatch” with code 403 Forbidden.
Found a previous issue that was solved via DMs: "Invalid request : Redirect URI mismatch." - #12 by will.zoom
From that issue:
A few more things to check on:
- Can you confirm you’ve updated your Whitelist URLs each time you’ve started up your ngrok server?
- Can you try double encoding your redirect URL
- Can you confirm your redirect URL doesn’t contain any query params
Yes to all three: whitelist URLs are correct; double-encoding caused an error on /oauth/authorize; redirect url has no query params.
Error
{"reason": "Invalid request : Redirect URI mismatch", "error": "invalid_request"}
Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth (via Ruby’s OAuth2::Client gem oauth2 | RubyGems.org | your community gem host)
Which Endpoint/s?
/oauth/authorize
/oauth/token
How To Reproduce (If applicable)
Steps to reproduce the behavior:
- Request GET
https://zoom.us/oauth/authorize?client_id=g6EknL_KSm6zy9BOHNnc6Q&redirect_uri=https%3A%2F%2Fbookwhen.test%2Fintegrations%2Fzoom%2Foauth%2Fcallback&response_type=code
(my testing app called bookwhen-test) - Authorize the app for the logged-in Zoom user: response returns 200 with authorization code
- Request POST
https://zoom.us/oauth/token
with{"redirect_uri":"https://bookwhen.test/integrations/zoom/oauth/callback","grant_type":"authorization_code","headers":{"Authorization":"Basic [encoded client ID + secret key]"}}
- Response returns 200 with access+refresh token
- Repeat steps 1+2: response returns 200 with authorization code
- Repeat steps 3+4: response returns 403 with “Redirect URI mismatch”
Additional context
We are already successfully using /oauth/authorize to authorize for our users, and with the code returned we are able to successfully fetch and store an access+refresh token and make requests on behalf of the user.
Making that exact same /oauth/authorize + /oauth/token request again, with the same parameters and everything, results in 403 Forbidden because Redirect URI mismatch.
If we fail to save the refresh token that’s returned in every request, then we need to ask our users to re-authorize, but they can’t because of this error. The only solution is to uninstall our app and authorize, which causes all the meetings we created to be deleted. After successfully installing the app from scratch, we then recreate all those meetings, and hit the “100 requests per day per app” rate limit, which means we can’t perform our responsibilities for our users for 24 hours.
Thanks for your help,
Henry