5.3 Updating Snapshots

In order for a user to receive a valid OAuth access token to read and update their zoom-identity-snapshot attribute, they must successfully complete the OAuth 2.0 Authorization Code Flow with PKCE [16] with their IDP for the same email address they use to login to Zoom. This is implemented as a second, separate flow from the Zoom user login flow. To ensure that only an authorized user on a Zoom native client is able to update the identity snapshot stored by the IDP, our protocol requires IDPs to:

1. Introduce new OAuth scopes idpSnapshot.manage (required to update one’s snapshot) and idpSnapshot.read (required to read one’s snapshot).

2. Issue access tokens with the idpSnapshot.manage scope only for requests that use PKCE, and where the redirect URI is one of the fixed custom URIs intended to refer to the native Zoom desktop and mobile clients (such as zoommtg://zoom.us/oauth2).

3. Issue access tokens with the idpSnapshot.read scope, regardless of the specific OIDC flow. This scope supports future use cases where the Zoom server can fetch valid user attestations without modifying the attested keys. With the custom URI redirect, we trust the operating system and browser to redirect to the native Zoom app and not to a website in a browser: such a website might be serving malicious JavaScript from a compromised web server that could hijack the authorization flow. PKCE is an OAuth 2.0 extension that prevents other apps installed on the user’s device from intercepting the authorization code. The Zoom app will not share the resulting “write” access token with anyone else, including the Zoom server, but read-only access to snapshots can be extended to all access tokens, including those issued to browser sessions. After the client has obtained an access token which includes the idpSnapshot.manage scope, they can use it for a dedicated IDP API endpoint to request an attestation with an arbitrary zoom-identity-snapshot value. We realize that the protections given to write ID tokens depend on the security of the underlying platform including the user’s browser, their OS and their hardware, but we intend these protections to be best effort measures.