Request insights & help - - Zoom OAuth callback URL mismatch resulting in error 4700

App Marketplace
1

Hello,
I’m stuck at this OAuth barrier and cannot move forward with my app development.
Have you experienced (and overcome) this OAuth barrier? Thank you.

Issue … Bottom Line Up Front - We’re experiencing a Zoom OAuth callback URL mismatch resulting in error 4700 during the authentication flow. Despite configuring the redirect URL with the /auth prefix, Zoom appears to be redirecting to a different path.

Technical Configuration

  1. OAuth App Settings:
  • Client ID: bwNRE______G7w
  • Configured Redirect URL: ___https://18characters.ngrok-free.app/auth/zoom/callback
  • Security Settings: Both “Subdomain Check” and “Strict Mode” are enabled
  1. Implementation Details:
  • Using Express.js for the server implementation
  • Implementing full OAuth 2.0 flow with state parameter for CSRF protection
  • All routes are properly secured with Helmet middleware for security headers
  • Comprehensive logging implemented for debugging OAuth flow
  1. Security Measures:
  • HTTPS enforced through ngrok tunnel
  • Implementing security headers:
    • Strict-Transport-Security
    • X-Content-Type-Options
    • Content-Security-Policy
    • Referrer-Policy
  • State parameter validation for CSRF protection
  • Secure cookie handling

Issue Description

  1. Expected Behavior:
  • User clicks “Connect with Zoom”
  • Redirects to Zoom OAuth consent screen
  • After consent, Zoom should redirect to: ___https://18characters.ngrok-free.app/auth/zoom/callback
  1. Actual Behavior:
  • Initial OAuth redirect works correctly
  • After consent, Zoom redirects to ___https://18characters.ngrok-free.app/zoom
  • Results in error 4700 due to redirect URL mismatch
  1. Troubleshooting Steps Taken:
  • Verified exact URL match in Zoom App Marketplace configuration
  • Enabled Strict Mode and Subdomain Check
  • Implemented comprehensive request logging
  • Verified proper URL encoding in OAuth requests
  • Confirmed security headers are not interfering with the redirect

Questions for Zoom Dev Forum:

  1. Is there a known limitation with redirect URLs containing the /auth path segment?
  2. Are there any specific requirements for redirect URL patterns that we should be aware of?
  3. Could there be an issue with how the platform handles nested paths in redirect URLs?
  4. Are there any specific settings in the Zoom App Marketplace that might affect how redirect URLs are processed?

Additional Context:

  • The application will be a production system requiring secure OAuth implementation (in Development phase now)
  • We’re using ngrok for development/testing, but the issue persists with production URLs
  • All other OAuth flows in the application (not Zoom-related) work correctly with the /auth prefix

Please let us know if you need any additional information or specific logs to help diagnose this issue.

2

Hi,
Could you ensure that the Redirect URI exactly matches what’s configured in the Zoom App Marketplace.
Also check if there’s any dynamic URL management going on…make sure both the authorization and token request steps use the exact same URI.
Cheers,
Harsh

1 Like
3

Thank you for the insights, Harsh!

The OAuth Redirect URL from Zoom App Marketplace is:
https://20d3-157-97-121-37.ngrok-free.app/auth/zoom/callback

The ZOOM_REDIRECT_URL in the .env file in our code base is:
https://20d3-157-97-121-37.ngrok-free.app/auth/zoom/callback

image
image1170×674 77.3 KB

To your second on-point question:

We’ve looked at whether there is a URL inconsistency in our OAuth flow:

  1. Authorization Request:
  • We use process.env.ZOOM_REDIRECT_URL from our environment variables
  • This is set to: https://20d3-157-97-121-37.ngrok-free.app/auth/zoom/callback
  1. Token Exchange:
  • We verified that we’re using the exact same URL (as shown above) in our token exchange request
  • The code is handling the OAuth flow through our tokenManager.exchangeCodeForToken() method

In the exchangeCodeForToken method, we use the same ZOOM_REDIRECT_URL from our environment variables in both places:

  1. Authorization Request (in getAuthUrl):
    const params = new URLSearchParams({
    redirect_uri: process.env.ZOOM_REDIRECT_URL,
    // … other params
    });

  2. Token Exchange (in exchangeCodeForToken):
    const response = await axios.post(this.zoomConfig.tokenUrl, null, {
    params: {
    grant_type: ‘authorization_code’,
    code,
    redirect_uri: process.env.ZOOM_REDIRECT_URL // Same URL used here
    },
    // … headers
    });

I believe this confirms that we’re using the exact same URL (https://20d3-157-97-121-37.ngrok-free.app/auth/zoom/callback ) in both places. However, we should add more detailed logging to track the exact URL being used in each request.

Can we confirm:

  1. Should the redirect URL in the token exchange request exactly match the one registered in the Zoom App Marketplace?
  2. Are there any URL encoding requirements for the redirect URL in either step?
4

This topic was automatically closed after 30 days. New replies are no longer allowed.