I have a specific set of questions about OAuth for Zoom.
Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth
Which Endpoint/s?
https://zoom.us/oauth/authorize
https://zoom.us/oauth/token
Additional context
I’m in the process of writing a prototype batch application that needs to:
Authenticate/authorize to Zoom
Pull and process data
I already have everything working correctly for JWT, which is simple and straightforward. With JWT, I can run in batch and all is well.
However, I am not sure I correctly understand how OAuth is supposed to work in this context. According to the documentation:
Step 1: Request User Authorization - GET https://zoom.us/oauth/authorize
Step 2: Request Access Token - POST https://zoom.us/oauth/token
I’ve followed the directions and provided the appropriate query parameters for Step 1, but no matter what I try I’m not able to get this to work in batch. It always requires a user to interactively log in (using a web browser), after which I’m issued an authorization code.
This obviously will not work for a batch application. I need it to be programmatic, without user interaction.
So far, my stop-gap for this prototype has been to:
Interactively log in to Zoom using https://zoom.us/oauth/authorize?response_type=code&client_id=x&redirect_uri=https://foo.local
Make a note of the authorization code that is issued
Provide that authorization code (as an environment variable) to my batch application
Let my batch application do the POST https://zoom.us/oauth/token using the authorization code from above
Batch application receives the access token
And so on… make more calls, get data, etc.
Could someone help me understand what I’m missing? Should I be able to make a programmatic (read: no human involvement, no web browser) request to https://zoom.us/oauth/authorize? Or does it always involve a human, by design? If it does always involve a human, then do the authorization codes expire?
Replying to my own posting based on further trial-and-error and observation, along with information I found in this related thread:
The OAuth for Zoom authentication process looks like:
Ask a human to visit your app’s https://zoom.us/oauth/authorize?response_type=code&client_id=x&redirect_uri=https://foo.local URI and authorize it.
a. That human must have an account that can authorize the app
b. S/he must use the web UI to do this step; it can not be automated
c. The result of this step is an authorization code
Use the authorization code provided by your human to do the POST https://zoom.us/oauth/token step
a. After you do this step one time, the authorization code from step one is history (it won’t work again)
b. The result of this step is a token set, consisting of an access token and a refresh token
Use the access token to call the Zoom API and pull data
a. The access token expires after one hour
b. The refresh token expires after fifteen years
c. To get a new access token issue a request for a new one using the refresh token
You will need a persistent area to hold on to the access token and (especially) the refresh token. If you lose the refresh token you will be starting over from step 1 above.
My feeling at this point: if you need to authenticate in a batch process, use JWT if at all possible. The OAuth flow is an order of magnitude more complex. (Unfortunately, it appears using OAuth is the only way to limit access/scope for an account.)
i just created another new topic (Longevity of OAuth UserManaged code) about the longevity of the authorization code and in reading this thread it seems it is only good for one use in getting an access/refresh token? do we need to request user for authorization again via the marketplace application Installation URL? thank you…
Correct. The code in the redirect url query param is just for getting an access and refresh token. You will never use that same code again, it does not need to be stored.