I would like to bring to your knowledge that Zoom is soon going to stop supporting the JWT token method which used for zoom plugin.
We are aware, and have a draft PR to support server-oauth instead: VC/Zoom: Support server-to-server oauth by ThiefMaster · Pull Request #193 · indico/indico-plugins · GitHub
But JWT will work until later this year, AFAIU you just cannot create new ones as of Jun 1st.
Thanks for your reply and kind support.
Hi,
Thanks for the new plugin. I just updated to last version (3.2.4) but I don’t have a clear idea on what to do to configure the serve-oauth. Who/how are delivered the client ID and secret? What is the account ID?
Thanks in advance for any help or pointer.
Michel
You need to get it from whoever manages your organization’s Zoom subscription (“account”): Create a Server-to-Server OAuth app
Thanks for the pointer (may be worth to add to the plugin README except if I missed it…). I have been able to add and activate the app, except I have not been able to validate the webhook url. Do I need to to something on Indico side to make this URL active? (I interpreted yourserver
as your_indico_server
, am I right?). Is the webhook token in the plugin configuration the same as the secret token in the Zoom app configuration?
Michel
may be worth to add to the plugin README except if I missed it…
There’s indeed something in it
Do I need to to something on Indico side to make this URL active? (I interpreted
yourserver
asyour_indico_server
, am I right?). Is the webhook token in the plugin configuration the same as the secret token in the Zoom app configuration?
Yes, e.g. in our case it’s https://indico.cern.ch/api/plugin/zoom/webhook
(you should get “method now allowed” when accessing the endpoint manually in a browser).
The webhook token has nothing to do with the app. I think it’s displayed (“Verification Token”) when creating the webhook.
The URL I put works the same way as yours, so should be ok.
The app gives both a secret token and a verification token, with a warning that validation token will become obsolete in October and be replaced by the so-called secret token… I put it in the plugin parameter “webhook token” but I understand that it was a mistake… How to restore the original (or regenerate) the webhook token? Where the validation/secret token goes into the plugin config?
Michel
I gave another try but without success. At the end, reviewing the various Zoom documentations related to this, I realized that the previous plugin webhook token value wascoming from the JWT app and that according to Using webhooks I’ve the feeling I did the right thing updating it with the so-called secret token
in the Zoom app…
The problem remains that if I add https://indico.ijclab.in2p3.fr/api/plugin/zoom/webhook
as the event notification endpoint, any attempt to validate it (a requirement to acitvate it) fails… If I look into the Indico log, I see that the challenge is received (POST to the notification endpoint).without any associated error but may be I should increase the verbosity.
Any hint still welcome.
Michel
Any idea what Zoom does when you “attempt to validate” it? Maybe we need to respond to some ping-like request so Zoom knows the recipient can handle Zoom webhooks?
Yes it is a callenge response check documented at Using webhooks. Cannot work if it is not handled…
Michel
I tried to enable debug mode to get more verbose logs adding DEBUG=True
to my indico.conf
but it had no effect… When I create a room through Indico, it works but I have no way to certify it is through the new Zoom app rather than the old JWT (if I’m right JWT was supposed to be stopped on Sept. 11)…
Not sure if it is relevant but the first attempt to validate the endpoint after adding DEBUG=True
restarting uwsgi resulted in the following error:
2023-09-14 09:54:01,212 INFO fc298a212e944118 - indico.rh POST /api/plugin/zoom/webhook [IP=3.235.83.101] [PID=2506862]
2023-09-14 09:54:01,218 ERROR fc298a212e944118 - indico.flask 'object'
Traceback (most recent call last):
File "/opt/indico/.venv/lib/python3.9/site-packages/flask/app.py", line 1484, in full_dispatch_request
rv = self.dispatch_request()
File "/opt/indico/.venv/lib/python3.9/site-packages/flask/app.py", line 1469, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
File "/opt/indico/.venv/lib/python3.9/site-packages/flask_pluginengine/util.py", line 190, in wrapped
return func(*args, **kwargs)
File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/flask/util.py", line 79, in wrapper
return obj().process()
File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/rh.py", line 285, in process
res = self._do_process()
File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/rh.py", line 256, in _do_process
rv = self._process()
File "/opt/indico/.venv/lib/python3.9/site-packages/webargs/core.py", line 594, in wrapper
return func(*args, **kwargs)
File "/opt/indico/.venv/lib/python3.9/site-packages/indico_vc_zoom/controllers.py", line 62, in _process
meeting_id = payload['object']['id']
KeyError: 'object'
The error does not show up after the initial attempt and I didn’t check if it happens after every restart when DEBUG=True
. It didn’t happen after the restart after removing it.
Michel
I managed to assess that I’m using the new server-oauth app and no longer JWT. When using JWT in plugin 3.2.4, there is a warning logged and it is present in the log file after the plugin upgrade until I configured the new server-oauth app. So tis part of the config looks correct.
Michel
Looking at the webhook code in the plugin (https://github.com/indico/indico-plugins/blob/9fd0fd6a6b6e8784b90eb54e9045559ae59aa7ad/vc_zoom/indico_vc_zoom/controllers.py#L48 ff.), there is no code to respond to the validation request.
It needs a (before even looking for a meeting id):
if event == endpoint.url_validation:
calc hmac from payload.plaintoken + client secret token,
return json {plaintoken: as received, encryptedtoken= hamc)
@bpedersen2 thanks for the guggestion. I guess you mean to insert this code at line 70 in the mentioned file?
Are you sure your suggested (Python) code is correct and can be used as is?
Cheers,
Michel
no, this was just pseudo code
@bpedersen2 I tried to add at the beginning of process()
method (line 62):
if event == "endpoint.url_validation":
current_plugin.logger.warning('Validation payload received: %s', payload)
return
but I don’t get anything in indico.log… (even trying to log the event once process()
is entered doesn’t log anything… Is it expected (something wrong in what I did)?
Michel
Yes, probably _check_access is rejecting the request.