Security Issues Regarding Marketo Integration

Description
Hi, We are considering implementing the Marketo/Zoom Integration and had some questions regarding security. Unlike other implementations, it appears that this sync requires a Zoom account with admin credentials to be stored on the Marketo server, as indicated by the need to update everytime a password is changed. I wanted further clarification as to what and how the Zoom synch is created and held.

I also looked through the documentation posted on the DevHub and was not able to find the explicitly required Zoom admin permissions needed to elevate a normal user to a user capable of managing this application and approving the Sync, to prevent a Zoom super-admin to be the one in charge of this implementation solely used by the Marketing team.

Error
N/A

Which App?
Marketo in the Zoom Marketplace & Zoom in the Marketo LaunchPoint

How To Reproduce (If applicable)
N/A

Screenshots (If applicable)
N/A

Additional context
N/A

Hey @ajbuettner,

The Marketo App is an Account Level App, meaning one Zoom Admin can install it and the app will function for all Zoom users on the account.

Can you share more details about this, any docs or screenshots would be helpful. Are you referring to the OAuth flow?

Thanks,
Tommy

Hey Tommy, thanks for the response…
Per the install guide for Zoom/Marketo we need to connect an admin account or elevate a use to have permissions to edit users, view usage reports, and edit integration. We tried adding a normal user to a group that had these permissions enabled but the synch still failed to take place.

We have secuirty concerns about putting Zoom admin credentials on the Marketo sever as we use SSO to login, and it appears Marketo is storing this admin accounts credentials and using it to log in and pull data.

Hey @ajbuettner,

The Zoom for Marketo app uses the OAuth flow, meaning no login credentials are stored outside of Zoom, only the access and refresh tokens. The access and refresh tokens are not stored on the Marketo side either because Zoom built this integration, they are stored by Zoom.

Does that make sense?

Thanks,
Tommy