SSO OAuth Redirect Issue

We have an electron app and we want to let users authenticate / authorize with their Zoom account so we can get their meeting URL dynamically. We’re using auth0 for our authentication as a service and have setup a custom social connection through the /oauth/authorize endpoint. We’ve set the response_type, redirect_uri, scope, state, and client_id in the query parameters, and this works fine in most scenarios, though we haven’t been able to publish it yet to test accounts outside of our domain.

From our app, if I click on the “Sign in with SSO link” from /oauth/authorize?<query_parameters> and login through there then everything works fine.

If I enter my SSO credentials from /oauth/authorize?<query_parameters> it redirects to /oauth/signin instead of taking me to our SSO login like it does on the Zoom website. If I then try to do anything from this page it produces a 400 error, presumably because this /oauth/signin doesn’t have any query parameters set and isn’t valid for our app. I don’t see our SSO address come back in any of the responses, so it seems like Zoom isn’t even trying to navigate me where I’d expect to go.

I’d expect the /oauth/authorize endpoint to behave similarly to /oauth/signin, but maybe I’m missing something either in the API or in the responses. Any clarification on this behaviour or how to work around would be much appreciated.

Thanks.

Hi @sclark,

I am currently working on your request, and will respond to you within 24 hrs.

Thanks!

Hi @sclark,

I am still consulting with our Engineers regarding this issue, and will update you shortly.

Thanks!

Hi @sclark,

Thank you for patiently waiting.

Here are some details about the OAuth endpoints

The /oauth/authorize endpoints, will redirect you to your redirected endpoint. This endpoint has to be provided by you in the query_parameters with OAuth code when you already authorize the application. When the application has not been authorized, it will redirect to the /oauth/signin page.

For /oauth/signin endpoints, if you have not logged in, it will show the login page to ask you to log in. If you have already logged in to zoom web, it will show the authorize page so that you can authorize the application.

Regarding SSO, can you please let us know how you are providing SSO credentials from /oauth/authorize?<query_parameters> so that we can give recommendations?

Thanks!

Thanks for looking into this @Ojus.

If I hit our auth0 endpoint it ultimately redirects me through https://zoom.us/oauth/authorize?<...> to https://zoom.us/oauth/signin?_rnd=<rnd>&client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&state=<state>&scope=user_profile user:read. All good, just as expected. I get a “Sign In” page asking for email and password with links below for Google, Facebook, or “Sign in with SSO”.

If I click on “Sign in with SSO” from this page it redirects me to https://zoom.us/oauth/sso_login?_rnd=<rnd>&client_id=<client_id&response_type=code&redirect_uri=<redirect_uri>&state=<state> (very similar query to the non-SSO login page). From there I can specify my SSO domain which redirects me to /my/sso and I can sign-in without any issue.

If, on the other hand, I try to sign-in using an email address with a domain that Zoom recognizes as an SSO domain, instead of taking me to /my/sso where I can authenticate it goes to https://zoom.us/oauth/signin without any of the former query parameters. From there, if I click on the “Sign in with SSO” link I get a 400 Bad Request probably due to CSRF prevention as we’ve lost the state from the query and the headers have likely changed. Trying to enter credentials again just dumps me back on the same page. Compare this to following the same flow on the Zoom website where after entering my SSO domain email I end up at /my/sso instead of https://zoom.us/oauth/signin and can sign-in without problem.


I’m not sure if this helps or changes anything, but our app is an Electron app that uses Auth0 for AaaS. We load our Auth0 tenant via a webview which allows users to choose the account they want to authenticate. We’re trying to add Zoom as one of these services via a custom social connection so that a user who signs in via Zoom will have a valid Zoom API access token and the associated permissions. This has worked well except for the scenario I’ve mentioned above.

Thanks

Hi @sclark,

Thank you for the information. I am discussing this with the engineering team, and will get back to you with an update, early next week.

Thanks!

Hi @sclark ,

Our engineers have confirmed that what you are experiencing is a bug on our side. While they are working diligently to fix this, can you please provide us some additional information?

If, on the other hand, I try to sign-in using an email address with a domain that Zoom recognizes as an SSO domain, instead of taking me to /my/sso where I can authenticate it goes to https://zoom.us/oauth/signin without any of the former query parameters

For this step, in which of the following pages did you provide your email address with a domain:
the /oauth/signin page,
the /oauth/sso_login page, or the
/oauth/sso_email_login page?

Also, are you just inputting your email address?

Once again, thank you for notifying us of this error.

Thanks!

Sorry for the late reply.

I’m entering my company email address (managed by SSO) along with a bogus password to satisfy the form requirements into the /oauth/signin page. From there I expect it to redirect me to my company’s SSO login https://my-company.co/signin where I can enter my actual username and password and get logged in.

This is how it works from https://zoom.us/signin.

Thanks!

Hi @sclark

Our Engineers have confirmed that the /oauth/signin page does not work like zoo,.us/signin .They have identified it as a bug, and will be fixing it in future releases.

You can follow our changelog and developer roadmap to see the latest updates.

Thanks