We are able to generate access token for a user who has removed the authorized Zoom app from his Zoom Marketplace added apps section. So even after removing the app meetings are created for this user. Here is the usecase:
-
We create a user managed OAuth app in Zoom marketplace with meeting:read and meeting:write scopes.
-
A user in application can authorize the Zoom app for create/update meetings. On user authorization we capture the refresh token. The following two API calls are involved
-POST [https]://zoom.us/oauth/authorize?response_type=code&client_id=&redirect_uri=<>
-POST [https]://zoom.us/oauth/token?code=<>&grant_type=authorization_code -
When a meeting is scheduled with the above user as host, we generate an access token using the refresh token and create a zoom meeting using the meeting API.
-POST [https]://zoom.us/oauth/token?grant_type=refresh_token&refresh_token= -
Now, the user removes the Zoom app from his Zoom marketplace account. After this we should not be able to generate an new access token to create a meeting for this user. However the new token is still getting generated and we are able to create a meeting from application.
This makes it impossible for a user to remove his authorization to a Zoom app. This was not the behavior when we initially did the integration i.e. removing the zoom app from marketplace invalidated the refresh token generated for that app. Please advice