Refresh token issue in multi-tenant environment


We are experiencing an issue with how the refresh token works in our multi-tenant app, explained below.

We have multi-tenant support in our application, so a given user (with email A) can have accounts in both Tenant1 and Tenant2, which are totally isolated environments (with different login credentials). This means that if the user wants to connect our app to his Zoom account, he will repeat the OAuth flow twice, once for each tenant.

The problem here is that once he completes the OAuth flow on the second tenant, he gets a new refresh token, which invalidates the previous refresh token that was created for the first tenant (stored separately).

How can we go around this issue?

One possible fix would be to store the ZoomUserId beside the refresh token, and when a new refresh token is generated, we update all DB records for that ZoomUserId.
Does that make sense or there are other alternatives?
Also this wouldn’t be that easy if we end up storing different tenant info in different databases, which we eventually plan to do so.

Thank you,

Hi @miroslav.grozdanovsk, your suggestion is the only solution I can currently imagine given the requirements of the single refresh_token per userId. We are working on providing greater flexibility for multi-tenant OAuth, but this is our current suggestion.

Hi @michael.harrington,

Do you have any rough estimation of when you will complete those changes and provide that flexibility?
If it’s soon, it may affect the development plans on our side.

Thank you,

Hi @miroslav.grozdanovsk I do not believe this on our short term roadmap. The Marketplace team is prioritizing user privacy & security reviews at this time.