giorgosavgeris / passport-zoom-oauth2 Goto Github PK

Installed the strategy, setup routes but getting error

Error: Unknown authentication strategy "zoom

router.get('/auth/zoom',` passport.authenticate('zoom'));

const ZoomStrategy = require('@giorgosavgeris/passport-zoom-oauth2').Strategy;
module.exports = (passport) => {
  passport.use(
    new ZoomStrategy({
      clientID: process.env['ZOOM_CLIENT_ID'],
      clientSecret: process.env['ZOOM_CLIENT_SECRET'],
      callbackURL: process.env['BASE_URL'] + '/auth/zoom/callback',
      passReqToCallback: true
    }, (req, accessToken, refreshToken, profile, cb) => {
      req.data = {
        access_token: accessToken,
        refresh_token: refreshToken,
        profile: profile
      };
      return cb(null, profile);
    }));
};

As a part of our continuing efforts to improve the security of Zoom OAuth App Types using Authorization flow, Zoom removed the ability to set the access tokens, refresh tokens and revoke tokens in the URL query parameters. This change took effect on February 2023. To fix this, all the token values should be set in the Authorization header and not the HTTP query parameters.

The next error is thrown if the access-token is not set in the Authorization header:

error: {
  statusCode: 401,
  data: '{"code":124,"message":"Invalid access token, this access token is not supported as query parameter string."}

PR with patch: #5

Zoom Dev Forum: https://devforum.zoom.us/t/security-update-no-token-values-in-url-query-parameters/78782

When submitting our app, utilizing oauth2 with Zoom as the provider, we were informed that his strategy was including the scope parameter in the callback URL, ie:

https://marketplace.zoom.us/authorize?client_id=&response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2Flogin%2Fzoom%2Fcallback&scope=user:read&_zmp_login_state=

The reviewer rejected the app, insisting that he scope should not be passed in the redirect URL. I gather this is a relatively recent policy change on the part of Zoom, but in order to produce compliant oauth2 apps, for Zoom, a (probably one line) change must be made to this strategy. I may ackle it as time allows, but posting this for reference in the meantime.

I am getting "Failed to fetch user profile" after authentication. Is there something i am missing?

I have granted the following scopes:
View account info/account:read:admin
View and manage all user meetings/meeting:write:admin
View and manage all user Webinars/webinar:write:admin

InternalOAuthError: Failed to fetch user profile
    at /auth/node_modules/@giorgosavgeris/passport-zoom-oauth2/lib/strategy.js:61:19
    at passBackControl (/auth/node_modules/oauth/lib/oauth2.js:132:9)
    at IncomingMessage.<anonymous> (/auth/node_modules/oauth/lib/oauth2.js:157:7)
    at IncomingMessage.emit (events.js:203:15)
    at endReadableNT (_stream_readable.js:1145:12)
    at process._tickCallback (internal/process/next_tick.js:63:19)