[Security Update] No token values in URL query parameters

As a part of our continuing efforts to improve the security of Zoom OAuth App Types using Authorization flow, we are removing the ability to set the access tokens, refresh tokens and revoke tokens in the URL query parameters. This change will take effect on February 2023. It is strongly recommended that you update your API calls to set the token values in the Authorization header and not the HTTP query parameters. Failure to do so will result in rejected API calls and a reduced functionality for your application. If you are not the technical point of contact, it is strongly recommended that you forward this message to the appropriate party.

Read more about the change and how to do OAuth via the Authorization header.

@shariq.torres Does this also apply to the download_url authentication (download_token) as described in this documentation: Zoom API Events - Meeting ?

In the documentation it shows the examples:

Using an Authorization header (Recommended)

curl --request GET \
 --url {download_url} \
 --header 'authorization: Bearer {download_token} \
 --header 'content-type: application/json'

Using a query parameter

{download_url}/?access_token={download_token}

Yes it does. You would need to put the access_token in the ‘Authorization’ header for the request. In the curl example, you would have to use the output flag, i.e, --output /path/to/download.file.

@shariq.torres : Hi, I am using Zoom Web SDK. Does this also apply to Web SDK? Do I need to do anything?

@shariq.torres
Is this only for access_token and refresh_token?
Will it also apply to client_id and client_secret, or can those still be passed through url query parameters?

Hi.
Does this apply to JWT calls to url generate by you?
For example:

Hi @shariq.torres ,
We are using following format for generate / refresh / revoke access tokens.

Are these still okay to use? As we are requesting the API by sending user details in request body and the authorization header has only client and secret id.

Hi,

I got the first email about this today. Is the date correct? We only have four days make the updates??

Could you please give us more time? I have multiple applications to take care of.

2 Likes

Hello! What does this even mean? I am not a tech person and although the email stresses that we forward the notice to the appropriate technical contact, we do not have one. Can anyone tell me if this will impact me?

We use Zoom for meetings nationally and internationally. We have the PRO Version of zoom. And, when I called tech support, I was hung up on by the computer system (not by a person) twice so I could not get through. Thanks

1 Like

@shariq.torres Thank you for your prompt reply to my previous question.

I have two follow up thoughts:

  1. It appears that the email notification for this change went to the wrong list of users. I did not receive this notice on any of my Zoom Developer Accounts, I only received the email notification on my end user accounts.

  2. 4 days is impossibly short notice. The last notice I saw about this was on February 23, 2022 (Announcements) when it was said “At a date to be determined, we will make these features mandatory. We will notify you in advance of this date.”

Most anyone will need more than 4 days to make a change of this magnitude. Was your original forum post the advanced notice?

2 Likes

There was another email communication that was sent in May of this year as well as an another email in August. There was also the announcement that you linked. I believe around spring time, the documentation was changed to reflect sending access_tokens via the headers.

From the pushback we have received, I think the assumption was that developers had already made these changes. That obviously was a bad assumption. I’m working with some of the stakeholders to see what options we have going forward, but I won’t have an update until tomorrow.

I hear you. I’ll have some more information for everyone tomorrow.

1 Like

If you use the Zoom APIs for your application, then you are affected. Do you have the contact of the developer(s) that made your application? They would be the appropriate party to forward this info.

How would I know if I use Zoom API’s? Any ideas? I don’t know what that is.

@Alyssa,

Here is a link to Zoom Rest APIs endpoints:

One way you can verify if you use Zoom APIs is to log in to Zoom Marketplace and check if there are any API Call logs. Here is a screenshot of what that page looks like :

Hi @shariq.torres / @donte.zoom ,
Can you please confirm if we are following the zoom documentation (i.e. OAuth with Zoom ) it would be okay?

I have shared the links above of each token related request we are using.

Thank you!

May I know is JWT affected?

Thank you! That helps!

Yes, I do use APIs. What do I do now?

:+1:
Some extra time would be great.

(BTW, no one at our organization seems to have received the May or August email notifications. Though, we did receive the email notification sent on Monday, Nov. 14.)

1 Like