Zoom is soon going to stop supporting the JWT

I would like to bring to your knowledge that Zoom is soon going to stop supporting the JWT token method which used for zoom plugin.

1 Like

We are aware, and have a draft PR to support server-oauth instead: VC/Zoom: Support server-to-server oauth by ThiefMaster · Pull Request #193 · indico/indico-plugins · GitHub

But JWT will work until later this year, AFAIU you just cannot create new ones as of Jun 1st.

2 Likes

Thanks for your reply and kind support.

I just published v3.2.3 of the Indico Zoom plugin which supports Server-OAuth.

1 Like

Hi,

Thanks for the new plugin. I just updated to last version (3.2.4) but I don’t have a clear idea on what to do to configure the serve-oauth. Who/how are delivered the client ID and secret? What is the account ID?

Thanks in advance for any help or pointer.

Michel

You need to get it from whoever manages your organization’s Zoom subscription (“account”): Create a Server-to-Server OAuth app

1 Like

Thanks for the pointer (may be worth to add to the plugin README except if I missed it…). I have been able to add and activate the app, except I have not been able to validate the webhook url. Do I need to to something on Indico side to make this URL active? (I interpreted yourserveras your_indico_server, am I right?). Is the webhook token in the plugin configuration the same as the secret token in the Zoom app configuration?

Michel

may be worth to add to the plugin README except if I missed it…

There’s indeed something in it :slight_smile:

Do I need to to something on Indico side to make this URL active? (I interpreted yourserveras your_indico_server, am I right?). Is the webhook token in the plugin configuration the same as the secret token in the Zoom app configuration?

Yes, e.g. in our case it’s https://indico.cern.ch/api/plugin/zoom/webhook (you should get “method now allowed” when accessing the endpoint manually in a browser).

The webhook token has nothing to do with the app. I think it’s displayed (“Verification Token”) when creating the webhook.

The URL I put works the same way as yours, so should be ok.

The app gives both a secret token and a verification token, with a warning that validation token will become obsolete in October and be replaced by the so-called secret token… I put it in the plugin parameter “webhook token” but I understand that it was a mistake… How to restore the original (or regenerate) the webhook token? Where the validation/secret token goes into the plugin config?

Michel

I gave another try but without success. At the end, reviewing the various Zoom documentations related to this, I realized that the previous plugin webhook token value wascoming from the JWT app and that according to Using webhooks I’ve the feeling I did the right thing updating it with the so-called secret token in the Zoom app…

The problem remains that if I add https://indico.ijclab.in2p3.fr/api/plugin/zoom/webhook as the event notification endpoint, any attempt to validate it (a requirement to acitvate it) fails… If I look into the Indico log, I see that the challenge is received (POST to the notification endpoint).without any associated error but may be I should increase the verbosity.

Any hint still welcome.

Michel

Any idea what Zoom does when you “attempt to validate” it? Maybe we need to respond to some ping-like request so Zoom knows the recipient can handle Zoom webhooks?

Yes it is a callenge response check documented at Using webhooks. Cannot work if it is not handled…

Michel

I tried to enable debug mode to get more verbose logs adding DEBUG=True to my indico.conf but it had no effect… When I create a room through Indico, it works but I have no way to certify it is through the new Zoom app rather than the old JWT (if I’m right JWT was supposed to be stopped on Sept. 11)…

Not sure if it is relevant but the first attempt to validate the endpoint after adding DEBUG=True restarting uwsgi resulted in the following error:

2023-09-14 09:54:01,212  INFO     fc298a212e944118  -       indico.rh                 POST /api/plugin/zoom/webhook [IP=3.235.83.101] [PID=2506862]
2023-09-14 09:54:01,218  ERROR    fc298a212e944118  -       indico.flask              'object'
Traceback (most recent call last):
  File "/opt/indico/.venv/lib/python3.9/site-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
  File "/opt/indico/.venv/lib/python3.9/site-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/opt/indico/.venv/lib/python3.9/site-packages/flask_pluginengine/util.py", line 190, in wrapped
    return func(*args, **kwargs)
  File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/flask/util.py", line 79, in wrapper
    return obj().process()
  File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/rh.py", line 285, in process
    res = self._do_process()
  File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/rh.py", line 256, in _do_process
    rv = self._process()
  File "/opt/indico/.venv/lib/python3.9/site-packages/webargs/core.py", line 594, in wrapper
    return func(*args, **kwargs)
  File "/opt/indico/.venv/lib/python3.9/site-packages/indico_vc_zoom/controllers.py", line 62, in _process
    meeting_id = payload['object']['id']
KeyError: 'object'

The error does not show up after the initial attempt and I didn’t check if it happens after every restart when DEBUG=True. It didn’t happen after the restart after removing it.

Michel

I managed to assess that I’m using the new server-oauth app and no longer JWT. When using JWT in plugin 3.2.4, there is a warning logged and it is present in the log file after the plugin upgrade until I configured the new server-oauth app. So tis part of the config looks correct.

Michel

Looking at the webhook code in the plugin (https://github.com/indico/indico-plugins/blob/9fd0fd6a6b6e8784b90eb54e9045559ae59aa7ad/vc_zoom/indico_vc_zoom/controllers.py#L48 ff.), there is no code to respond to the validation request.

It needs a (before even looking for a meeting id):

if event == endpoint.url_validation:
    calc hmac from payload.plaintoken + client secret token,
    return json {plaintoken: as received, encryptedtoken= hamc)

@bpedersen2 thanks for the guggestion. I guess you mean to insert this code at line 70 in the mentioned file?

Are you sure your suggested (Python) code is correct and can be used as is?

Cheers,

Michel

no, this was just pseudo code

@bpedersen2 I tried to add at the beginning of process() method (line 62):

    if event == "endpoint.url_validation":
        current_plugin.logger.warning('Validation payload received: %s', payload)
        return

but I don’t get anything in indico.log… (even trying to log the event once process() is entered doesn’t log anything… Is it expected (something wrong in what I did)?

Michel

@bpedersen2 @ThiefMaster any idea about my last reply?

Yes, probably _check_access is rejecting the request.