User's refresh token keeps expiring

I have an app that uses OAuth named Donut.
https://marketplace.zoom.us/apps/7PBvwbgER6atU2rbdmznDQ

The refresh token for one of my users regularly expires. This doesn’t happen to most of our users. I have no idea why this happens.

The user confirmed that the reason described here isn’t relevant to them:

Any ideas?

Hey @mike8 ,

Thanks for reaching out about this. Refresh token errors in regards to expiration can occur for a few different reasons. If the user isn’t accessing your app from multiple devices like in that other thread, here are a few other things to check on your end:

  1. If a new access token is generated, both the previous access token and refresh token will become invalid. Make sure you’re updating each of these tokens each time you request a new access token.

  2. Another situation that can arise is if multiple requests are sent using the same refresh token within a short amount of time, a race condition may prevent all requests from going through successfully. In this case, if you are not able to update the refresh token at your end (this generally happens when you make multiple requests in a short amount of time), a recommended workaround would be to reauthorize the app.

  3. If a user uninstalls the app by revoking the authentication, the refresh token will become invalid. This may not be a scenario in your case.

Let me know if you think any of these could be the case.

Thanks,
Will

Thanks! I looked into these possibilities, but I don’t think these any of these scenarios are the answer in this case.

#1: the user’s token is valid for a while (<1 day to several days) before it fails, and they’re not attempting to reauth on the day it stops working.
#2: I don’t think it’s this because we don’t make multiple quick requests with one token like you’re describing. Also, if you’re saying that it would fail temporarily but the refresh token would stay valid, I can confirm that after the event that makes the refresh_token invalid, it stays invalid indefinitely for future requests.
#3: I’m not sure how to match the info we’re receiving in the deauthorization events to the data we have for the user (would the client id be their team? is something in the jwt-decoded data of their token useful? I didn’t see anything that seemed to match), but the timestamps of the deauthorization events we’ve received don’t line up with the user’s timeline of issues and reauthorizations. The only scopes we have are to create and read meetings, so I don’t know how to see the Zoom team’s id (don’t see that in the meeting data).

A new clue? I’ve found since last writing in that whatever event is happening makes ALL the tokens on their Zoom team invalid. Seems like a useful clue, though I’m not sure what possibilities that opens up.

Thanks for your continued help,
Mike

Hey @mike8,

Can you share a recent refresh token that you’ve encountered this issue on for the user? You can send this to our team at developersupport@zoom.us and this will help us to take a closer look.

Thanks!
Will

I have the same issue it seems! Frequently receiving invalid_request / token revocation from Zoom - #5 by will.zoom

Again - this is not happening with all of our users, but with some it’s happening every day. I have a feeling it’s because they’re using our apps on multiple machines? Maybe Zoom is internally not keeping track of unique devices?

I think that is it!! Users that are using the same account on two macs. Zoom incorrectly expires the refresh token of the other mac.

Damnit. I’ve pulled my hair out for 2 weeks over this. Zoom - FIX THIS - PLEASE.

This is absolutely unacceptable, no matter the reason. Users these days have multiple machines / devices they use our apps on. They expect these to work. This needlessly increases our support around an issue Zoom needs to fix. This not only is disruptive, it also ruins the overall seamless experience users expect from our apps.

Hi @fahad.beehive,

I can see that we’ve connected over email and I will continue the conversation there.

Thanks,
Will

Any update on this? Our users are experiencing the same pain.

Hey @morgs.dovetail,

Currently, if a user simultaneously accesses the app from a second device such as another computer, phone, etc., any other access_tokens will be invalidated. At the moment, this is expected behavior.

However, in the future, we hope to support multiple active OAuth tokens per user to enhance the flow where the user needs to OAuth authenticate on multiple devices.

Thanks,
Will

Also see this: Frequently receiving invalid_request / token revocation from Zoom - #15 by fahad.beehive