Zoom OAuth Integration type within an organization

API and Webhooks Authentication
1

We have a use case which we want to implement internally within my organization. Can you please provide clarifications for the below queries?.

Use case: We have an internal application (frontend in AngularJS) within my organization( We use Enterprise accounts), where user should be able to use zoom v2 apis in the application

  1. Which type of OAuth app should we use for such type of integration?
  • OAuth User level app?, OAuth account level app ?, Server2Server OAuth app?

  1. What exactly is meant by User level access and account level access apps?

  2. I have read in the documentation that “All Zoom OAuth and API endpoints must be called from the server side of your application. If called from the client side, it will throw CORS
    errors.” So, wont i be able to make zoom API calls from the AngularJS application?

  3. We also have a SSO configured for zoom within my organization. Should we able to leverage that anywhere while authenticating?.

2

@kancharla.bhagavan

1. Which type of OAuth app should we use for such type of integration?

You should use a Server-to-Server (S2S) app for this integration.

  • It provides direct access to Zoom APIs without requiring individual user authorization, making it ideal for internal applications like yours.
  • This type of app works entirely at the account level and ensures secure, backend-based communication with Zoom.

2. What exactly is meant by User-Level Access and Account-Level Access apps?

  • User-Level Access Apps (OAuth2.0 User-Level):
    • Require each user to log in and authorize the app before it can make API calls on their behalf.
    • Example: Scheduling a meeting for a specific user using their credentials.
  • Account-Level Access Apps (OAuth2.0 Admin-Level):
    • Require an admin to authorize the app once, granting access to all account-wide resources.
    • APIs can then manage resources for all users within the Zoom account.
  • Server-to-Server OAuth Apps:
    • Do not involve user authorization at all.
    • They provide account-wide API access directly and are best suited for backend integrations like yours.

3. Can I make Zoom API calls directly from the AngularJS application?

While you can make API calls directly from the AngularJS application, it is highly discouraged due to security risks:

  • The access token would be exposed in the browser, making it vulnerable to interception or misuse by malicious actors.
  • This would lead to a security breach, as the token could grant unauthorized access to your Zoom account.

Correct Approach:

  • Implement a server-side service (e.g., in Node.js or Python) to handle the OAuth process, securely manage the access token, and make API calls.
  • The AngularJS frontend can communicate with the server using secure endpoints to interact with Zoom APIs indirectly.

4. We have SSO configured for Zoom within our organization. Can we leverage that anywhere while authenticating?

No, SSO cannot be leveraged in this specific use case when using a Server-to-Server OAuth app.

  • SSO is primarily used for user authentication to log in to Zoom.
  • However, the Server-to-Server OAuth app does not involve user login or authorization; it operates at the account level using credentials configured during app setup.

If you require SSO for user authentication in your internal application, it would be a separate process unrelated to the Zoom API authentication.