Description
I have integrated OAuth flow for google and microsoft in the past and I under how it’s supposed to work.
I am now trying to do this with Zoom, and I am not understanding why, after getting the users authorization_code, do we have to once again provide the redirect_uri that they just authenticated on?
Why is is neccessary to send the redirect_uri parameter to convert a code → tokens??
Hey @worthy.vii,
Thanks for reaching out about this, and good question.
While you’re correct that you do need to pass the redirect URL when attempting to request an access_token (even after you’ve received the code), you raise a good question.
Although this is expected as part of the implementation and I believe is, in part, due to verifying the redirect URL matches what you’ve provided in your app, it’s a good question which I’m happy to explore with my team. For now, however, note that it’s required.
Thanks,
Will
I have implemented both google and MS auth flows (for login, API access etc) and it’s exactly the same, except for this parameter. That’s why I bring it up.
Was this always a requirement? I am implementing this in dot net, and we ended up having this discussion: OAuthConnectionInfo · Issue #104 · Jericho/ZoomNet · GitHub
He seems to think it is not needed, so that client actualy doesn’t implement this parameter yet somehow still works? So bizarre.
@will.zoom I confirm what @worthy.vii said: I have been using the OAuth flow for nearly a year without any problem and I do not provide the redirect url when converting the authorization code into access token and refresh token. Here’s a sample HTTP request I send to the Zoom API:
POST https://api.zoom.us/oauth/token?grant_type=authorization_code&code=WJFlYAhRUM_8lzIwvZTSOqjndWPbPqzuA HTTP/1.1
Host: api.zoom.us
Authorization: Basic <... omitted for security reasons ...>
User-Agent: ZoomNet/DEBUG (+https://github.com/Jericho/ZoomNet)
Content-Length: 0
Notice the absence of redirect url
and here is the response from Zoom:
HTTP/1.1 200
Date: Wed, 24 Feb 2021 14:33:00 GMT
Content-Type: application/json;charset=UTF-8
Connection: keep-alive
x-zm-trackingid: WEB_c66959f9ce8ce61237d13d23f7e71788
X-Content-Type-Options: nosniff
Content-Security-Policy: upgrade-insecure-requests; default-src https://*.zoom.us https://zoom.us https://us01pbxstatic.zoom.us blob: 'self'; script-src 'unsafe-eval' 'unsafe-inline' blob: about: https://ruanshi2.8686c.com https://ajax.aspnetcdn.com/ajax/3.5/MicrosoftAjax.js https://appsforoffice.microsoft.com https://assets.zendesk.com https://autocomplete.demandbase.com https://cdn.wootric.com https://cdncache-a.akamaihd.net https://connect.facebook.net https://consent.trustarc.com https://d.adroll.mgr.consensu.org https://d2b9h3rz4xo53c.cloudfront.net https://d24cgw3uvb9a9h.cloudfront.net https://googleads.g.doubleclick.net https://pi.pardot.com https://s.dcbap.com https://s.ytimg.com https://s3.amazonaws.com https://scout-cdn.salesloft.com https://sealserver.trustwave.com https://secure-cdn.mplxtms.com https://serve2.cheqzone.com https://snap.licdn.com https://sp.analytics.yahoo.com https://static.zdassets.com https://static2.sharepointonline.com https://tag.demandbase.com https://tpc.googlesyndication.com https://tracking.g2crowd.com https://trk.techtarget.com https://www.comeet.co https://www.dropbox.com https://www.google-analytics.com https://static.zoom.com.cn https://www.googleadservices.com/pagead/conversion_async.js https://www.googletagmanager.com/gtm.js https://www.googletagmanager.com/* https://optimize.google.com https://tagmanager.google.com https://www.gstatic.com/recaptcha/releases/ https://www.gstatic.cn/recaptcha/releases/ https://google.com https://docs.google.com https://cse.google.com https://maps.google.com https://www.google.com https://www.recaptcha.net https://linkedin.com https://platform.linkedin.com https://px.ads.linkedin.com https://ads.linkedin.com https://www.youtube.com https://us01pbxstatic.zoom.us https://www.gstatic.com https://www.gstatic.cn https://fonts.googleapis.com https://hcaptcha.com https://assets.hcaptcha.com https://*.ada.support https://*.adroll.com https://*.hotjar.com https://*.zoom.us https://*.zoomcloudpbx.com https://*.zoomus.cn https://*.zopim.com https://adroll.com https://zoom.us https://apis.google.com https://gstatic.zoom.com.cn 'self'; img-src https: about: blob: data: 'self'; style-src https: safari-extension: chrome-extension: 'unsafe-inline' data: 'self'; font-src https: safari-extension: chrome-extension: blob: data: 'self'; connect-src * about: blob: data: 'self'; media-src * rtmp: blob: data: 'self'; frame-src https: ms-appx-web: zoommtg: zoomus: wvjbscheme: data: 'self'; object-src 'none'; base-uri 'none';
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: zm_aid=""; Domain=.zoom.us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Set-Cookie: zm_haid=""; Domain=.zoom.us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Set-Cookie: web_zak=""; Domain=.zoom.us; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Set-Cookie: cred=525EC9537CDD0E987C2ECC4058060C28; Path=/; Secure; HttpOnly
Set-Cookie: _zm_page_auth=aw1_c_nrRYBOhRQZSycnDcePoP-w; Domain=.zoom.us; Path=/; Secure; HttpOnly
p3p: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Set-Cookie: _zm_ssid=aw1_c_tHzsHOUHSrq9kH710BGl7w; Domain=.zoom.us; Path=/; Secure; HttpOnly
Set-Cookie: _zm_ctaid=FzQL6Fo-SEKojNfOnRCzfg.1614177180353.ca004da5e79f36bcdba8ec8b0a075b5e; Domain=.zoom.us; Expires=Wed, 24-Feb-2021 16:33:00 GMT; Path=/; Secure; HttpOnly
Set-Cookie: _zm_chtaid=596; Domain=.zoom.us; Expires=Wed, 24-Feb-2021 16:33:00 GMT; Path=/; Secure; HttpOnly
Cache-Control: no-store
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 1410
{
"access_token":"<... omitted for security reasons ...>",
"token_type":"bearer",
"refresh_token":"<... omitted for security reasons ...>",
"expires_in":3599,
"scope":"meeting:read meeting:write user_profile"
}
So, my conclusion is that it is NOT necessary to provide the redirect url.
Hey @desautelsj,
Thanks for sharing—While this may work for you, our OAuth flow is intended to include the redirect_uri parameter when requesting an access token to ensure you don’t receive a redirect mismatch error.
Thanks,
Will
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.