Description
I understand that direct login has been removed from the Desktop Meeting SDK (which will make things much less convenient, but I’m not trying to appeal that decision). I’m trying to work out how to keep the existing functionality - in particular, starting a scheduled meeting.

I would expect that to be seamless, just as for a logged-in user - but it appears to be trying to join the meeting instead.

Which Desktop Meeting SDK version?
I’m currently using 5.7.6.1079, but want to migrate to 5.9.0.2546 - hence why I’m investigating OAuth. (I looked in the release notes, and didn’t see this as a bug fixed since 5.7.6.1079 - I can try the latest SDK if necessary, but it will take a little longer.)

This is using the Windows C# wrapper.

To Reproduce
Steps to reproduce the behavior:

1. Log in via OAuth to get a code
2. Claim an OAuth token via the code
3. Use the OAuth token to generate a ZAK
4. Use the ZAK in a MeetingService.Start call:

var startParam = new StartParam
{
    userType = SDKUserType.SDK_UT_WITHOUT_LOGIN,
    withoutloginStart = new StartParam4WithoutLogin
    {
        userZAK = zak,
        userID = userId,
        userName = displayName,
        meetingNumber = meetingNumber,
        isDirectShareDesktop = false,
        zoomuserType = ZoomUserType.ZoomUserType_APIUSER,
    }
};
var result = meetingService.Start(startParam);

I’d expect that to start the meeting, but instead it prompts for the passcode, and if there’s a waiting room, the user has to wait for the host to start the meeting - when the intention is to use the SDK to be the host.

The ZAK and user ID appear to be completely ignored, suggesting either I’ve got a broken ZAK somehow, or I’m doing something completely wrong.

Device (please complete the following information):

• Device: Windows Surface Laptop 4
• OS: Windows 11

I’ve just realised one additional piece of context that may be relevant: the OAuth credentials (and then the ZAK) were obtained via a separate app - I don’t want to convert my SDK app to an OAuth app, given that I still need it to work with email login while I’m getting OAuth working.

Could this be making the ZAK invalid? Is there any reason why “start meeting with invalid ZAK” would behave like “join meeting with no authentication at all” instead of complaining that the ZAK is invalid?

Ah… having:

• Created a new user
• Created a new SDK app
• Gone through all the OAuth hoopla again

… I can now start a meeting.

It looks like a single account can only have a single SDK application associated with it, and that SDK application can only support either login or OAuth, are you expecting all users to create a second developer account? This is hugely inconvenient (and that’s before we get to the problem of "I don’t want my app on the Marketplace; I just want to be able to use the SDK as before).

I’m glad that the older SDK supporting direct login will be available for a while… is there a plan to make the migration to OAuth simpler? Because at the moment it feels really painful, unless I’ve missed something. I’d be happy to have a call to share more details of my context if that would be useful for gathering feedback.

Hi @jonskeet, thanks for the post.

It looks like you were able to resolve this issue, which is great to hear!

Although it does seem strange that you were unable to access the meeting until you created a new SDK app. There are many existing implementations which used separate SDK & OAuth apps, and have done so for years, so adding such a requirement would have been a major breaking change for a lot of developers using our SDK. It may not be too big of a concern for you now that you were able to get it working, but let me know if you’d like to continue investigating why this was happening and we can pursue it further.

Now regarding your concerns about the OAuth migration, we definitely hear you on it not being simple in comparison to the email/pw login available in older versions of the SDK. The short answer is yes we want to make it easier for developers to implement, but will not be able to change the Marketplace requirements in the long run.

In the immediate term, we have some documentation available for this migration. We also have plans to release some sample implementations for all platforms in the future for those who prefer something a bit more concrete.

I don’t want my app on the Marketplace; I just want to be able to use the SDK as before).

If your use case involves users not directly under your Zoom account to authenticate via OAuth, unfortunately this will no longer be an option. The listing of SDK apps on the Marketplace, in addition to allowing for increased visibility of your app, was primarily meant to better inform Zoom users of the developers behind an SDK app. It certainly is not a trivial change to migrate over to this new flow, so we are here to help in whatever ways we can.

Thanks!

Thanks for the swift response - that’s much appreciated.

It’s good to know that it should have worked. (It’s definitely worth me looking into this more for various reasons.) I’ll have another go at reproducing the problem, partly as it was 3am local time when I did so before, due to insomnia - it’s entirely possible that the problem was on my side somewhere. I’ll try again and report the results here either way.

In terms of the Marketplace requirements, I’d like to describe my context further, but it’s somewhat off-topic for this forum post. Would it be best to create a new post with more context, or is there a better medium to discuss that? (It may not be as relevant to other users, so an email thread with support might be more appropriate, but I don’t want to assume too much.)

Hi @jonskeet,

You’re very welcome, happy to help!

It’s good to know that it should have worked. (It’s definitely worth me looking into this more for various reasons.) I’ll have another go at reproducing the problem, partly as it was 3am local time when I did so before, due to insomnia - it’s entirely possible that the problem was on my side somewhere. I’ll try again and report the results here either way.

Ha, no worries, we’ve all been there at some point. One common issue we see with using a ZAK is that the token expires before it is used, which could potentially cause the behavior you’re seeing. If you provide an expired ZAK, the SDK will just try to join the meeting anonymously as if you had never provided one rather than fail to join.

In terms of the Marketplace requirements, I’d like to describe my context further, but it’s somewhat off-topic for this forum post. Would it be best to create a new post with more context, or is there a better medium to discuss that? (It may not be as relevant to other users, so an email thread with support might be more appropriate, but I don’t want to assume too much.)

I think it should be fine to discuss any concerns you have here, since it is still related to the content of this topic. It really is only an issue when there are completely unrelated topics (e.g. you follow up asking a question about the Android Video SDK in a thread regarding the macOS Meeting SDK).

Thanks!

Okay, so a post in two halves… both quite long. (Again, I’m quite happy to split this if you’d like.)

Getting ZAKs working

Firstly, I did get the ZAK working in the end, and I think I know what I was doing wrong and how a few documentation improvements could have avoided it. Basically, I was using the “other” kind of token given by the /users/me/token API request.

I’m sure I won’t be able to find all the parts of documentation that I went through (it’s a bit labyrinthine, and I can understand that - auth in particular is always really hard to document) but:

• In https://marketplace.zoom.us/docs/sdk/native-sdks/iOS/mastering-zoom-sdk/start-join-meeting/api-user/authentication, it states:

  For Zoom_Access_Token(ZAK), you can retrieve them by sending a GET request to https://api.zoom.us/v2/users/{userId}/token."

  But that will give the wrong kind of token (without the query parameter). (I’m sure I reached this page at some point despite not using iOS…)

• The doc at https://marketplace.zoom.us/docs/sdk/native-sdks/auth is slightly better:

  To request a User’s ZAK, send a GET request with a userId to /users/{userId]/token and specify type=zak in the body of the request. (If a type is not specified, the default response will be Zoom Token)

  This does at least talk about “type=zak”, but:

  • It’s a query parameter, not in the body of the request
  • The distinction between “Zoom Token” and “Zoom Access Token” is very, very easy to miss when you’re coming in fresh. This is compounded by the next issue.

• In https://marketplace.zoom.us/docs/api-reference/zoom-api/users/usertoken, the documentation for the token query parameter was what really confused me. It says there are two types:

  • token: Used for starting meetings with the client SDK. This token expires in 14 days and a new token will be returned after the expiry.
  • zak Used for generating the start meeting URL. The token expiration time is two hours. For API users, the expiration time is 90 days.

  Now given that I’m trying to start a meeting with the client SDK, it really sounds like I want “token” here. I’m not “generating a start meeting URL” at all. I think improving this one piece of documentation, as well as highlighting the presence of the query parameter and the fact that there are different kinds of token at all in the summary information on the page, would make a huge difference. (Ideally, define the two kinds of token using terms that are very easily distinguishable. I appreciate that by now it may be too late to do that.)

• There’s an inconsistency in whether starting a meeting with a ZAK counts as a “login” user or a “non-login user”. Reading https://marketplace.zoom.us/docs/sdk/native-sdks/user-login makes it sound like using OAuth is part of the “login user” or “non-login user” flow… in the API call, we’re using withoutLoginStart and StartParam4WithoutLogin, which certainly sounds like it’s non-login… but this isn’t an anonymous user. Perhaps you need a third category in the description here?

I hope those suggestions are useful.

Personally I would really have preferred it if an incorrect ZAK (or at least a token which was completely invalid as a ZAK in terms of the format) would have caused an error rather than trying to join anonymously. There are plenty of other places where the API reports an error even for cases where it’s harmless - like requesting to show the toolbar when it’s already being shown. In that case, reporting the error is unhelpful, whereas here it would be really helpful for alerting the developer to the fact that their code has a bug. I appreciate it’s probably too late to change that now though.

Marketplace requirements and experience

Firstly, I’m still confused about the production vs testing URLs. I can generate both URLs in the app configuration wizard, but only the “local testing” one works at the moment. (Trying to exchange the code for an OAuth token fails with a 4xx error.) I think I’ve seen it the other way round as well, but I’m not sure. (I was changing too many things to have paid much attention on that.)

The terminology of “installing” and “uninstalling” an application is definitely confusing here. From my standpoint, I’m not installing anything - I’m authenticating or logging in. I assume that “uninstall” really means “invalidate previous token” but that’s unclear too.

Anyway, I’ll assume that this can all be sorted. My bigger concern is being able to create an application with very limited distribution without making it public on the Marketplace. Here’s my bigger context…

I have developed two applications, “Zoom and Enhance” (ZAE) and “At Your Service” (AYS). Both are basically to help me with A/V presentation for my local church, and both are Windows-based (WPF).

Zoom and Enhance (ZAE)

ZAE was started last year, and is effectively a Zoom productivity app. It’s designed for the situation where everyone in a church service is attending via Zoom, and is primarily about streamlining a few bits of functionality which are common within Zoom services - plus a few extras. It can:

• Change the spotlight from one user to another, muting everyone else and unmuting the new speaker, all with a single double-click
• Launch a PowerPoint presentation, video or web page, starting a screen share (either of a screen or the app), again muting everyone else - and again, all with a single double-click. (And importantly, you can prepare the list of videos etc beforehand, so you’re just clicking from one item to the next, via other speakers to spotlight.)
• Unmute everyone (e.g. for saying the Lord’s Prayer) - this is in the normal Zoom client as well of course, but it’s all in the same place as the rest of the functionality for ZAE.
• Automatically rename users as they join (e.g. to turn phone numbers into names)
• Provide crude-but-effective chat-based notification system, so that people can “subscribe” to notifications by chat when someone joins or leaves. That allows a few people to make sure that everyone is greeted as they arrive.
• Make it easy to switch between devices (e.g. different webcams, microphones, speakers) without going through settings menus

While I primarily built ZAE for myself, it now has maybe a dozen users. To avoid issues where the same SDK key was being used at the same time for an unpublished app, each user has registered themselves as a Zoom developer (under the advice of a Zoom engineer last year). I suspect that each user only needs to start meetings for a small handful of “normal” Zoom users (e.g. the account for the minister of that church, or the church council secretary) but it’s not necessarily just their own account.

At Your Service (AYS)

AYS was started this spring, and is a complete replacement for the previous A/V system at my local church. Our “A/V stewards” are just volunteers who are technically literate, but not necessarily geeks, let’s say. I wanted to make things as simple as possible for them, in a world of hybrid worship where some people are on Zoom and some are in the church building. Before the pandemic, the A/V stewards would primarily need to worry about the sound via microphones, and what’s on the screen via a computer. Adding Zoom and cameras into the mix made it infeasible to have lots of separate pieces of hardware and software, so I’ve built a platform myself which controls:

• Sound via a digital mixer
• Presentation of videos/audio/pictures via VLC
• PowerPoint
• Song words and liturgy as text
• Multiple cameras (with control for pan/tilt/zoom)
• Window management for all of the above (e.g. to show singers with the song words overlaid, or a regular video overlaid with a camera shot in the corner)
• Zoom:
  • Starting the meeting for people to join
  • Spotlighting people who are doing a reading (and then returning to show the church view)
• OBS for recording services

Again, the intention is to allow as much to be done with a single mouse double-click (or button-press on a Stream Deck) as possible.

Currently, the only installations of At Your Service are me for development and on the church computer. Other churches aren’t using it, partly as it’s very much geared towards our hardware.

Most of the meetings started by AYS are with the same account, although that’s a separate account from the one I’ve created the app in. (Church account vs my personal account.)

How OAuth and the Marketplace fits in

So these applications are only ever intended to be distributed by me personally - no-one is going to be able to install them without coming to me first. That’s why it would seem odd to have a Marketplace app that’s publicly visible: “Here’s an application that you can find out about - but you won’t actually be able to use” is odd messaging.

While it’s awkward, I could potentially create a new OAuth app which is never submitted for review, on each account where we host meetings - and ask the handful of ZAE users to do the same thing.

The other alternative is to go via the “Request to share this app outside this account” dialog in the Marketplace app management part. If the Zoom Marketplace Team would consider this an acceptable use case, that would be simpler. I’d need to get the published URL client id/secret to work but I’m sure that’s manageable.

I’m sure once we’ve worked out how many OAuth apps are required (in order to allow hosting from “multiple, but not a huge number” of other accounts), I can do the server-side OAuth management and then app-side ZAK-fetching relatively easily.

If you have any other ideas, I’d be very interested in hearing them. I hope all the above context is useful for the product team in terms of giving background as to how the Zoom SDK is being used in real life outside enterprises etc. (I’m sure enterprise use cases are much more important to the product team, of course - I don’t begrudge Zoom wanting to make money!)

Hi @jonskeet,

First off, I want to thank you for taking the time to put together this exceptionally well-thought-out feedback. There is a lot of actionable information that we can use to improve our developer experience, and I’m sure the DevRel team as a whole will be thankful for this!

Firstly, I did get the ZAK working in the end, and I think I know what I was doing wrong and how a few documentation improvements could have avoided it. Basically, I was using the “other” kind of token given by the /users/me/token API request.

This is not an uncommon misunderstanding (and one that I actually ran into myself when I first started at Zoom IIRC). I have brought this up with our documentation team and will see if we can make it as clear and consistent as possible across our documentation. The authentication page you’ve linked to is specifically geared towards reducing the amount of documentation you need to parse in order to get an SDK app moving in the right direction in this regard, which is why it has the most concise information.

It is also worth noting that there is a ZAK-specific endpoint, which should make things a bit less error-prone. I think we probably will move in the direction of pointing toward this endpoint in our documentation, but I’m open to feedback if you see value in including both options.

• There’s an inconsistency in whether starting a meeting with a ZAK counts as a “login” user or a “non-login user”. Reading https://marketplace.zoom.us/docs/sdk/native-sdks/user-login makes it sound like using OAuth is part of the “login user” or “non-login user” flow… in the API call, we’re using withoutLoginStart and StartParam4WithoutLogin , which certainly sounds like it’s non-login… but this isn’t an anonymous user. Perhaps you need a third category in the description here?

This is definitely something that we can update. To give some context around this wording, as of v5.9.0, the Meeting SDK removed the ability to log in using raw email/pw strings and now requires OAuth for all authentication. Previously, providing a ZAK was a “non-login” user since they were not logging in directly through the SDK. With the current setup, this distinction is no longer as important to make, so we can definitely consider changing the naming convention here. I’m not 100% sure that we want to introduce a breaking change for this, but if not, this at least warrants clarification in the reference docs.

Personally I would really have preferred it if an incorrect ZAK (or at least a token which was completely invalid as a ZAK in terms of the format) would have caused an error rather than trying to join anonymously.

I think that this behavior is enforced by our back end and may require significant changes to how meetings are joined, but there are probably scenarios that the SDK can handle and return an error synchronously before it gets to that point (e.g. if the ZAK has expired or has an invalid format).

Marketplace requirements and experience

Reading through this section, I completely understand why you asked if it would be better to post in another category. If you don’t mind, could you copy this over to the #marketplace-apps category? Let me know when it’s posted there and I’ll make sure our Marketplace team is aware and can respond to it. At a high level, it seems that you have a correct understanding of the terminology and I absolutely see how they could be confusing/misleading. I’m sure a member of our Marketplace support team will be able to provide better context than I can around the naming conventions and distribution limitations you’re running into.

If you have any other suggestions or comments, or feel that I may have overlooked anything in your response, please let me know and I will be more than happy to help further.

Thanks!

Thanks very much for the reply. I’ve split off the Marketplace requirements part in this post.

Everything you said in your reply made sense to me, and I’m glad the feedback is useful. (I work in DevRel too, so I really empathise with trying to keep docs up-to-date for an evolving platform.)

I think the remaining open aspects are really just in the Marketplace post now. (There’s still the technical matter of why the publishable URL wasn’t working for me but the testing URL was, but I think it’s worth waiting until there’s more resolution on the Marketplace post before coming back to that.) Feel free to close this topic now, and happy New Year.

Hi @jonskeet,

Thanks for that! I’ve forwarded that post to our Marketplace team to look into. There are still some people out for the holidays so I’m not sure on the exact timing, but you should hear back this week.

I’m glad to hear that everything made sense and appreciate you understanding and empathizing with the challenges we face. Hopefully the changes we make in the future will be beneficial to you and the rest of the developer community, but if not, we’re always a post away.

Thanks, and happy new year to you as well!