Trying to integrate, not understanding the need for the second redirect_uri

I have integrated OAuth flow for google and microsoft in the past and I under how it’s supposed to work.
I am now trying to do this with Zoom, and I am not understanding why, after getting the users authorization_code, do we have to once again provide the redirect_uri that they just authenticated on?
Why is is neccessary to send the redirect_uri parameter to convert a code → tokens??

Hey @worthy.vii,

Thanks for reaching out about this, and good question.

While you’re correct that you do need to pass the redirect URL when attempting to request an access_token (even after you’ve received the code), you raise a good question.

Although this is expected as part of the implementation and I believe is, in part, due to verifying the redirect URL matches what you’ve provided in your app, it’s a good question which I’m happy to explore with my team. For now, however, note that it’s required.


I have implemented both google and MS auth flows (for login, API access etc) and it’s exactly the same, except for this parameter. That’s why I bring it up.

Was this always a requirement? I am implementing this in dot net, and we ended up having this discussion: OAuthConnectionInfo · Issue #104 · Jericho/ZoomNet · GitHub

He seems to think it is not needed, so that client actualy doesn’t implement this parameter yet somehow still works? So bizarre.

@will.zoom I confirm what @worthy.vii said: I have been using the OAuth flow for nearly a year without any problem and I do not provide the redirect url when converting the authorization code into access token and refresh token. Here’s a sample HTTP request I send to the Zoom API:

Authorization: Basic <... omitted for security reasons ...>
User-Agent: ZoomNet/DEBUG (+
Content-Length: 0

Notice the absence of redirect url

and here is the response from Zoom:

HTTP/1.1 200
Date: Wed, 24 Feb 2021 14:33:00 GMT
Content-Type: application/json;charset=UTF-8
Connection: keep-alive
x-zm-trackingid: WEB_c66959f9ce8ce61237d13d23f7e71788
X-Content-Type-Options: nosniff
Content-Security-Policy: upgrade-insecure-requests; default-src https://* blob: 'self'; script-src 'unsafe-eval' 'unsafe-inline' blob: about:* https://* https://* https://* https://* https://* https://* https://* 'self'; img-src https: about: blob: data: 'self'; style-src https: safari-extension: chrome-extension: 'unsafe-inline' data: 'self'; font-src https: safari-extension: chrome-extension: blob: data: 'self'; connect-src * about: blob: data: 'self'; media-src * rtmp: blob: data: 'self'; frame-src https: ms-appx-web: zoommtg: zoomus: wvjbscheme: data: 'self'; object-src 'none'; base-uri 'none';
Set-Cookie: zm_aid="";; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Set-Cookie: zm_haid="";; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Set-Cookie: web_zak="";; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Set-Cookie: cred=525EC9537CDD0E987C2ECC4058060C28; Path=/; Secure; HttpOnly
Set-Cookie: _zm_page_auth=aw1_c_nrRYBOhRQZSycnDcePoP-w;; Path=/; Secure; HttpOnly
Set-Cookie: _zm_ssid=aw1_c_tHzsHOUHSrq9kH710BGl7w;; Path=/; Secure; HttpOnly
Set-Cookie: _zm_ctaid=FzQL6Fo-SEKojNfOnRCzfg.1614177180353.ca004da5e79f36bcdba8ec8b0a075b5e;; Expires=Wed, 24-Feb-2021 16:33:00 GMT; Path=/; Secure; HttpOnly
Set-Cookie: _zm_chtaid=596;; Expires=Wed, 24-Feb-2021 16:33:00 GMT; Path=/; Secure; HttpOnly
Cache-Control: no-store
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 1410

    "access_token":"<... omitted for security reasons ...>",
    "refresh_token":"<... omitted for security reasons ...>",
    "scope":"meeting:read meeting:write user_profile"

So, my conclusion is that it is NOT necessary to provide the redirect url.

Hey @desautelsj,

Thanks for sharing—While this may work for you, our OAuth flow is intended to include the redirect_uri parameter when requesting an access token to ensure you don’t receive a redirect mismatch error.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.