Description
I have a Meeting SDK app that currently uses login/password details, and I’m trying to migrate this to OAuth. I’ve enabled OAuth for the app, and used a custom URL scheme to implement PKCE. (I posted earlier about custom schemes failing, but I suspect it may be valid just for SDK apps… not sure.)
I’m able to successfully go through the process of:
- Set appropriate Windows registry entries for my custom URL scheme
- Start a browser with the login URL, which displays the authorisation page
- Receive the code when my app is started
- Exchange the code for an access token
- Retrieve the user’s details
- Retrieve the user’s ZAK
(I haven’t actually tried starting a meeting with that ZAK yet, but I’ve had that working before.)
That all works once. But if I then go through the steps (from 2) again, the browser doesn’t show the authorisation page - it just shows an empty page then redirects to the app with a code. That code then can’t be exchanged for an access token - I receive an HTTP 400 error with content of:
{
"reason":"Invalid request : Redirect URI mismatch.",
"error":"invalid_grant"
}
This makes no sense to me, as I’ve provided the exact same redirect URI as before - it’s literally the same code that worked previously.
If I go to the App Marketplace, manage the App, go to the “Local Test” section and hit “Regenerate” by the testable URL, without having made any changes to the app, everything reverts back to working - the authorisation page comes up, the code is returned appropriately, and I can exchange that code for an access/refresh token.
While obviously I would normally use the refresh token to continue accessing the API, so wouldn’t expect to normally need to go through the authorisation page multiple times, I’d still expect this to work - there are any number of reasons why I may need to reauthorise the app for the same user, e.g. a network issue when refreshing the token which means that the Zoom token server expects a “new” refresh token that was never received.
In the “working” state, the first request (to https://zoom.us/oauth/authorize) is redirected to https://zoom.us/oauth/signin, which in turn redirects back to the original authorisation URL with an additional _zmp_login_state
query parameter - that request has a 200 response and loads the authorisation page.
In the “broken” state, the first request (to https://zoom.us/oauth/authorize) succeeds with a 200 response containing HTML that just redirects via an HTML script.
Things I’ve tried when diagnosing this:
- Using a different browser
- Using the first-received-and-working code a second time. (I’m glad this one failed, but I thought it worth a try.)
- Adding
_zmp_login_state=broken
to the first URL to attempt to get the token server to just go through the full authorisation… - Testing using the production credentials - exactly the same results
So it feels like there are two problems here:
- Failure to display the authorisation page if the user has previously authorised the app (since the last time the “regenerate URL” button was pressed)
- Issuing of a code which can’t be exchanged for an access token. Even if Zoom deliberately takes a stance of “if they’ve authorised it once, it stays authorised”, there’s no point in redirecting using a code that doesn’t work…
Error
(See full description.)
Which App?
Knowing the app can help us to identify your issue faster. Please link the ones you need help/have a question with.
https://marketplace.zoom.us/develop/apps/ga9SYQIaS7u6alcz9axj9g
How To Reproduce (If applicable)
(See full description.)