# Append trailing "=" to the end code_challenge_url_safe_encode ## Introduction Zoom supports Proof of Key Code Exchange (PKCE) industry - standard protocol for authorization when requesting user tokens. This offers better security by enabling clients to use a code challenge and code exchange as part of the initial user authorization request. See [rfc7636](https://datatracker.ietf.org/doc/html/rfc7636) for details. This guide will walk you through the manual generation of the PKCE OAuth Code_verifier and Code_challenge. It will also teach you how to generate these codes programmatically. Finally, it will demonstrate how to use the Zoom OAuth 2.0 PKCE Flow in Postman. ## What is PKCE? PKCE is an extension to the OAuth 2 spec. Its design aims to add an additional layer of security that verifies that the authentication and token exchange requests come from the same client. This is achieved through the use of the code_challenge and code_verifier parameters, sent by the third-party application during the OAuth process. - The `code_verifier` parameter's value uses the [SHA 256](https://www.movable-type.co.uk/scripts/sha256.html) Cryptographic Hash Algorithm. SHA 256 creates a unique “signature” for a text or file of any size, - The `code_challenge` [Base64-encodes](https://www.base64encode.org/) the value generated from the code_verifer step. ### Note: - Regardless of the input file or text, the generated value is always the same length - Guaranteed to be always produce the same result for the same input - One way (that is, you can’t reverse engineer it to reveal the original input) - Code_challenge value should be equivalent to the `code_verifier` parameter's value when using the "plain" code challenge mode, or a cryptographic hash of the `code_verifier` parameters' value, though the use of the "plain" code challenge method is largely discouraged. ## Generate the Code_verifier and Code_challenge: You can manually generate the **code_verifier** by entering a random string into the **[SHA256 online tool](https://emn178.github.io/online-tools/sha256.html)** on Github. ### SHA256 Tool Screenshot: ![](/img/blog/dontesmall/ShA256.png) Then, manually encode the encrypted value with the **[Base64 online tool](https://www.base64encode.org)**: ### Base64encode Tool Screenshot: ![](/img/blog/dontesmall/Encode_to_base64.png) ### Programmatically generate the **Code_verifier** and **Code_challenge** Alternatively, you can programmatically generate the **Code_verifier** and **Code_challenge** with the following script: ```shell mkdir crypto-gen cd crypto-gen npm init -y ``` ```javascript const crypto = require("crypto"); const btoa = require('btoa'); function base64URLEncode(str) { return str.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); } function sha256_ASCII(buffer) { return crypto.createHash('sha256').update(buffer).digest('base64').toString("ascii"); } const code_Verifier = base64URLEncode(crypto.randomBytes(32)); const code_ChallengeUrlSafeEncode = base64URLEncode(sha256_ASCII(code_Verifier)); console.log("code_verifier: " + code_Verifier); # Append trailing "=" to the end code_challenge_url_safe_encode console.log("URL safe encode code_challenge : " + code_ChallengeUrlSafeEncode + "="); ``` ## PKCE Flow Overview - During the initial step ( `https://zoom.us/oauth/authorize` ) of the OAuth procedure, the `code_challenge` parameter is provided by the third-party client to the OAuth provider. - After the user has manually authorized the application, the OAuth provider should then respond with an authorization code, which must be returned to the OAuth provider along with the `code_verifier` parameter, by the third-party client, in exchange for an access token. - If the `code_verifier` parameter does not match the `code_challenge` provided by the client in the initial authorization request, this may indicate an attempted code injection attack, and so the OAuth process should be abandoned by the provider and an error returned to the third-party client. - If Zoom verifies that the `code_challenge` and the `code_verifier` match, the token endpoint (https://zoom.us/oauth/token) continues processing. ## Zoom OAuth 2.0 PKCE Flow: In Postman ### Step 1: [Getting an Access Token](/docs/integrations/oauth/#getting-an-access-token) A. Direct the user to `https://zoom.us/oauth/authorize` with the following query parameters: ![](/img/blog/dontesmall/pkce-queryparameters.png) ### Postman Authorization Tab Configuration: 1. Under the **Authorization** tab of any request, select `OAuth 2.0`.Select **Get New Access Token**. 2. From there, select a **Grant Type** of **Authorization Code (With PKCE)**, and click **Authorize using the browser** checkbox. 3. In the **Auth URL** field, enter **Zoom Authorization** endpoint with **response_type** and **code_challenge** params values included: ``` https://zoom.us/oauth/authorize?response_type=code&code_challenge= {{A challenge derived from the code verifier}} ``` 4. In the **Access Token URL** field, enter the access token endpoint ``` https://zoom.us/oauth/token ``` 5. In the **clientID** field, enter Zoom Marketplace OAuth app **clientID**. 6. In the **Code Challenge Method** field, select **SHA-256** and click **Get New Access token.** 7. Postman will open a browser tab that redirects to the endpoint entered for the [Zoom Marketplace redirect URL](/docs/integrations/create/#step-2-maintain-basic-information). Appended to the end of the Redirect URL, you will find the Authorization Code, which must be returned to the OAuth provider (Zoom) to get **Access Token**. This example leverages Postman's redirect endpoint (https://oauth.pstmn.io/v1/callback): ![](/img/blog/dontesmall/pkce-authorization-code.png) ### Postman Authorization Tab: Here is a screenshot of what the populated **Authorization tab** looks like: ![](/img/blog/dontesmall/postman-authorization-tab.png) ### Step 2: [Request Access Token](/docs/integrations/oauth/#getting-an-access-token): A. Create Post to https://zoom.us/oauth/token with the following headers and query parameters: ![](/img/blog/dontesmall/postman-params-tab.png) ### Postman Params Tab Configuration : 1. On the Postman **Params Tab**, set **code**, **grant_type**, **redirect_url**, and **code_verifer** param values: ![](/img/blog/dontesmall/postman-get-access-token-post-request.png) 2. On the Postman **Headers Tab** , set **Content-Type** and **Authorization** headers, then click Send: ![](/img/blog/dontesmall/postman-headers-tab.png) For reference, here is a video demonstrating the PKCE Flow: (Coming Soon) #### Resources - [OAuth 2.0 for Zoom](/docs/integrations/oauth/) - [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636) * **Github Sample Apps:** - [Sample Zoom OAuth App NodeJS app to call Zoom's APIs](https://github.com/zoom/zoom-oauth-sample-app) - [Sample Zoom User Level OAuth Starter App](https://github.com/zoom/user-level-oauth-starter) - [Sample Zoom Server-2-Server OAuth Starter App](https://github.com/zoom/server-to-server-oauth-starter-api) - [Sample Zoom Server-to-Server (s2s) Oauth Token Generation](https://github.com/zoom/server-to-server-oauth-token) ## Conclusion To access more knowledge about this from our developer community and Developer Relations team, be sure to take a look at [the dedicated thread on the Zoom Developer Forum](https://devforum.zoom.us/t/zoom-aws-virtual-participant-framework). We’d love for you to check it out, and look forward to your feedback. If you enjoyed this article, feel free to check out some others articles and support documentation like: - [Integrations (OAuth apps)](/docs/integrations/) - [Create an OAuth app](/docs/integrations/create/) - [OAuth 2.0 for Zoom](/docs/integrations/oauth/) For any questions or assistance with any of these topics, please use our [Developer Forum](https://click.zoom.us/e/84442/2023-09-20/c579md/4976204078?h=jtvp3AyDOiP0GtZn0emj5N16PrTRlMIX8NsWcyniXTQ), or contact [Developer Support](https://click.zoom.us/e/84442/2023-09-20/c579mh/4976204078?h=jtvp3AyDOiP0GtZn0emj5N16PrTRlMIX8NsWcyniXTQ). For details about Developer Platform updates, including APIs and SDKs, please visit the [changelog](https://click.zoom.us/e/84442/7372381325-Developer-Changelog/c579m9/4976204078?h=jtvp3AyDOiP0GtZn0emj5N16PrTRlMIX8NsWcyniXTQ) regularly. Happy coding!