Unable to exchange token during in-client oauth flow (and other issues)

we’re having some real issues implementing in-app auth.

  1. Key exchange after authorize isn’t working — each time it’s giving us a {"reason":"Invalid authorization code XXXXX”,”error":"invalid_grant”} error — whether we use curl or our backend using the code we get back from onAuthorized(). We’ve tried using our go code and the example JS code to generate the challenge.
  2. Should we be calling authorize() at app startup each time? If we attempt to install from the ‘guest mode’ window chrome we’re not getting any onMyUserContextChanged() events.
  3. Using promptAuthorize() to upgrade from guest mode to authorized likewise doesn’t trigger any onMyUserContextChanged() events. We don’t have any visibility that the permissions have changed.

We have promptAuthorize(), authorize(), getUserContext(), onAuthorized and onMyUserContextChange enabled and configured.

curl --request POST \
--url https://zoom.us/oauth/token \
--header 'Content-type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic BASE_64_ENCODED(CLIENT_ID:SECRET)' \
--data code_verifier=ORIGINAL_CODE_VERIFIER \
--data grant_type=authorization_code \

On a separate note – the zoom client doesn’t clear the cookies when you remove an installed app using the marketplace – we can code aroudn this but it seems like it’s a security issue.

  • Open an installed app in a meeting
  • Create a cookie on app open
  • Invite users in the meeting to use the app
  • Remove the app from the marketplace
  • The app pane closes
  • Open the old invitation
  • The app opens in guest mode
  • The cookie (tied to the former, installed session) is still present.

The error you’re seeing has to do with your oauth against the zoom.us oauth endpoints. There are severable searchable posts on the forum on this issue. Here is one of them: Cannot renew access and refresh token (invalid_grant)

The docs on OAuth with Zoom are here: OAuth with Zoom

If I manually create an authorization URL in the browser (with the same code challenge) and curl the exchange with the given code, it works.

If I use the same code challenge using authorize, the code that authorize returns fails.

If this is a “you need to use a refresh token” issue, what happens when/if our zoom refresh token isn’t persisted? The docs (including the example app) indicate that you need to use authenticate() to get a new token.

As for the onMyUserContextChange event trigger, promptAuthorize should trigger this since client version 5.12.0. What client version are you on?

We created a bug ticket for the cookie clearing issue, will report to appropriate internal team.

Are you using the plain or S256 for setting the code_challenge? if you are using S256, would you test plain?

Ah ha! It was 5.11.6! Hopefully the new client will fix the issues…

I’m using S256 when I manually create the URL (to generate a code that works). The challenge type isn’t a parameter in the authorize() call (Zoom Apps JS SDK reference)-- could the authorize be omitting that behind the scenes?

Updating the client fixed the oncontextchange events (but not the oauth problem)


The issue was that the codeChallenge we were providing to authorize() was not in plaintext – the docs explicitly say only S256 is supported! Could this be an SDK version issue?

The documentation is incorrect. The client does not officially support the S256 codeChallenge, only plain at this time. We will create a bug ticket to resolve this issue.