Refresh token not having tolerance when there is timeout

  1. Our App Details are:
    Client ID: hei16IV2SOqyRBVS5lFWlw
    App Name: CalDotComStaging

  2. Zoom refresh token endpoint was consumed for some of our users with our zoom client id, zoom client secret, and their respective last valid refresh tokens.

  3. For the ones that went through successfully, both the new refresh token returned and the previous refresh token were still able to be give a successful result when used to consume the refresh token endpoint again. Thus some tolerance observed

  4. However, the one that timed out gave the perplexing result that it no longer allowed the last refresh token to give a successful result after that, rather it started given invalid_token (i.e. invalid refresh token) as the reason for its failure.

  5. Checking this link shows that this behavior has been observed by other Zoom OAuth api users: How to refresh token if refresh_token in incorrect - #19 by katyle

  6. The more worrisome issue is that there is that part of the temporary solution for the above where Zoom is talking about increasing the tolerance of refresh tokens, which basically means allowing stale refresh tokens to still be valid if their validity period hasn’t been exceeded, even if they are not the last generated, up to a particular threshold Zoom desires. However, (3) shows that the said tolerance has been implemented generally into the behavior of Zoom’s refresh token endpoints, whereas, (4) means that there’re still bugs left in that behavior.

  7. Being that we have a case similar to 5, we need to be able to retry with the last token because of failure reasons like (4). A tolerance of 2 or 3 refresh token being valid concurrently will be highly appreciated, because when our clients need to book meetings, failure to get a successful refresh token is preventing us from generating their booking url in real time.

Kindly treat as urgent.

Hi @seanbuffer ,

I will put in a request for token tolerance increase for you. Can you please respond to my private message with the email address associated with your app?

1 Like

Hi @gianni.zoom,

I’ve done that, thanks.

Hi @seanbuffer ,

I’ve put in the request (ZSEE-109270). I’ll update you as needed :slight_smile:

Noted with thanks @gianni.zoom.

I’ll be on the lookout for your updates.

Hi @seanbuffer ,

Please see below: