SSO sometimes redirects to meeting page

API and Webhooks Authentication
1

We have our Android application using AppAuth library with custom tabs for OAuth authorization.

We are using /authorize

zoom.us/oauth/authorize?redirect_uri=https%3A%2F%2Fzoomboxerredirect.vmware.com%2F&client_id=apBktPWPSCaawCXIBQHnaw&response_type=code&state=Myu2ygIaAzzi_RM6l4462g&nonce=yb2G_H8NlYVThRO0lsWDUQ&code_challenge=XQ4ZnjrEa06nUy8Dn2LePK70--Z9h9Uiw-AJchI2dpE&code_challenge_method=S256

User login using SSO, and they are redirected to VMware Workspace One SSO client, after user is Authenticated by vmware, zoom SSO page is loaded vmware.zoom.us/saml/SSO, and in most of the cases this redirects to our redirect_uri, but in some cases this page don’t load redirect URI but it loads vmware.zoom.us/meeting.

I have compare a network log for both cases (when redirect_uri and when /meeting) and I can’t determine why is it that some cases we are being redirected to vmware.zoom.us/meeting instead of the redirect URI.

2

These are the network trace for when we end in redirect_uri and when we end on /meeting page

meeting redirect.har

redirect_uri redirect.har

Reviewing the .har files we could see that the inflection point on which they start to differ is after user is authenticated by workspace one SSO and calls the zoom SSO to finish the OAuth flow.

We would see location header and redirectURL pointing to this /meeting for when we have this issue happening.

3

Hello forum, could someone please take a look to this issue.

Any ideas or suggestion on how to fix it are welcome :slight_smile:

4

I was able to notice that when the authentication flow ends in the /meetings page, we are missing the _zm_bu cookie, this is when loading https://vmware.zoom.us/saml/SSO.

On the contrary when the flow ends on the redirectURI (the expected result), _zm_bu cookie is present containing the right /authorized endpoint with the redirectURI
extract:

{
              "name": "_zm_bu",
              "value": "https%3A%2F%2Fzoom.us%2Foauth%2Fauthorize%3Fclient_id%3DapBktPWPSCaawCXIBQHnaw%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252Fzoomboxerredirect.vmware.com%252F%26state%3DgEV8ROMUh9e0jh9dGC3yvw%26code_challenge%3D9h3F6xPpnmkR3olU_y7F73aM9cSwadSFoiYHV7HDmk0%26code_challenge_method%3DS256",
              "path": "/",
              "domain": ".zoom.us",
              "expires": "1969-12-31T23:59:59.000Z",
              "httpOnly": false,
              "secure": true
            },

I found this issue with the same cookie _zm_bu, but I believe is the opposite case.

Could someone help me find out why if both flow (meeting redirect.har and redirect_uri redirect.har) have the same steps but they end on a different page.