Zoom Apps In-Client OAuth offers a significant user experience improvement over the traditional web-based install flow to exchange an authorization code for an access token. This feature enables the Zoom app to trigger the exchange and receive of the access token within the Zoom client. This feature includes:
- In-Client Add app: enable users to add the app from within the Zoom client.
- Retrieval of Zoom REST API OAuth tokens.
- In-client prompts for users to authorize updated scopes.
- Login to the Zoom portal and go to Manage App -> your app -> Features, and enable In-client OAuth.
- Under the OAuth allow list section, add your app’s Home URL.
authorize method and the
onAuthorized event are the in-client equivalent of a grant_type
authorization_code request to the Zoom REST API to get the access token.
This in-client flow involves two steps for developers:
- Invoke the authorize method with PKCE code_challenge (only code_challenge_method
SHA256is supported) and optional state:
- If the app’s scopes are authorized by the user, it starts a non-interactive OAuth flow, completely invisible to the user.
- If the app’s scopes have changed or added, it goes to the in-client consent screen, and the user is prompted to reauthorize the app’s scopes.
- Listen for an onAuthorized event with an authorization code. Your app needs to register a listener callback function for the onAuthorized event. The callback function is invoked after the Zoom Client internally checks if the user has authorized the app’s scopes. The event includes the user authorization code the app sends to the application server to request an access token for the Zoom REST API.
To use the method and event in your app:
Invoke the Zoom Apps SDK
authorizemethod with the following parameters:
- A PKCE code_challenge. Only PCKE method ‘SHA256’ is supported
- An optional state value.
Register and listen for the
onAuthorizedevent using the Zoom Apps SDK addEventListener method.
- (Optional) Verify the state value received in
onAuthorizedis the same as the value passed from the app to the
- From the application server, send a token request with the code_verifier used to generate the code_challenge. This completes the In-Client OAuth flow: the application server has received an access token for the Zoom REST API.
Keep the following in mind when migrating from web-based installs to Zoom App in-client adds:
- That the in-client OAuth feature does not replace the traditional web-based install flow. Your app must continue to support the install flow from the Zoom Marketplace and your own install pages.
- You must re-implement any extraneous functionality that takes place during the traditional (web-based) install flow, such as getting and saving user OAuth tokens for the Zoom API.
- Some applications also create application users, create sessions, and more. These will have to be supported in the backend handler for the app’s home url using the X-Zoom-App-Context header on that request.
The in-client app flow to add an app is not available for unpublished apps. To test your app during development, we suggest these workarounds:
Add your app and send it to yourself. Then remove the app, and add it in a way that triggers the in-client oauth flow.
1. Log into Zoom marketplace web portal and add your app to your user account. 2. Open the Zoom client and start a meeting. 3. Open your app, and send the app invitation to all participants. 4. In the Zoom client, close the app, but do not end the meeting. 5. Go to the Zoom marketplace and remove the app. 6. Return to the meeting in the Zoom client, locate the app invitation in the chat tab, and accept it.
Two users (two Zoom instances)
Add the app to your Zoom account and then invite another user to add the app.
1. User1 logs into Zoom marketplace web portal and adds the app to their user account. 2. User1 opens the Zoom client and starts a meeting. 3. User2 (who hasn’t added the app) joins the meeting. 4. User1 sends User2 an invite to add the app. 5. User2 locates the app invitation in the chat tab, and clicks it to accept the invitation.