Timeout when refreshing access tokens

Description
Hi,
We have encountered an issue where there was a timeout when trying to refresh the access token, after which, we constantly get HTTP 401 errors when trying to refresh the token (using the same refresh token).

Error

  • We encountered a timeout when trying to refresh the access token.
  • After this happened we notice that we could no longer refresh the token and the API would always return back HTTP 401, not authorized.
  • We assume it is because our refresh token was invalidated during the request as a new one was created, but since we never got the response with the new token, we weren’t able to update it.
  • Could you please comment on the atomicity of the API and whether this was possible or not.
  • Could you also provide any suggestions you may have to recover from this. Currently, we are forced to uninstall the app and reinstall it, but as you can imagine; this is very cumbersome.

Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth (authentication code)

Which Endpoint/s?
https://zoom.us/oauth/token (POST)

thanks in advanced,
Bo

Hi @bo.zhang,

Thanks for reaching out about this. This can happen for a few different reasons. These are the most common:

  1. If a new access token is generated, both the previous access token and refresh token will become invalid. So you will need to update each of these tokens each time you request a new access token.

  2. Another situation that can arise is if multiple requests are sent using the same refresh token within a short amount of time, a race condition may prevent all requests from going through successfully. In this case, if you are not able to update the refresh token at your end (this generally happens when you make multiple requests in a short amount of time), a recommended workaround would be to reauthorize the app.

  3. If a user uninstalls the app by revoking the authentication, the refresh token will become invalid.

(Keep in mind that access tokens expire after one hour. Once expired, you will have to refresh a user’s access token. The purpose of the refresh token is to request a new access token. Although refresh tokens expire after 15 years, it becomes invalid after it is used to request a new access token. You will receive a new refresh token pair and an access token once you use the old refresh token. You will have to update these old values with new ones. These details are covered here as well.)

Let me know if you think one of these might be the case in your instance.

Thanks!
Will

Hi Will,

Thanks for the response.
So we are doing the following:

  • We run a cron job that automatically makes a request to request the Zoom token every ~50 minutes
  • Once we receive the new access token and refresh token, we store the new token pair in our backend database.

I checked our logs and there were no concurrent requests to the Zoom API - the previous call to refresh the token was 50 minutes prior, so I doubt that there was a race condition.

It seems the issue is that one request all of a sudden timed out (we set a timeout of 30 seconds, so if our request was not answered within 30 seconds, we terminate it). Can you confirm whether or not you invalidate the current refresh token if the response to the request was not received?

Here are the symptoms that we are seeing:

  1. Sudden timeout when trying to refresh the access token
  2. All subsequent requests to refresh the token are responded to with error 401 not authorized

Thanks,
Bo

Hi @bo.zhang,

Thanks for sharing these additional details.

If a refresh token request times out, you should be able to retry. If you’re getting the 401 not authorized error, it sounds like the user may have uninstalled the app.

Have you checked this scenario?

Thanks,
Will

Hi Will,

Thanks again for the response. The user of the app has advised us that they did not uninstall the App. Is there a way to verify this from our end, i.e: is there some way to track the uninstallations and installation history of our app?

Thanks,
Bo

Hey @bo.zhang,

Try navigating to Created Apps in the Zoom Marketplace. Then, click your App and view the Activity Logs tab.

Let me know if that helps.

Thanks,
Max

Thanks Max,

We will double-check this, but I highly doubt that the user of our App uninstalled the App, furthermore the symptoms that we encountered do not match up with the user uninstalling the App. A request to refresh the Access token timed out for no apparent reason and all subsequent attempts to refresh the token return 401, likely due to the fact that our refresh token was invalidated somehow during the request that timed out.

Thanks,
Bo

Hi @bo.zhang,

Thanks for sharing these additional details. If you’re able to share the exact refresh token and approximate timestamp of the error with us at developersupport@zoom.us, we may be able to help confirm the exact reason for you.

Thanks!
Will