connectors icon indicating copy to clipboard operation
connectors copied to clipboard

Published 20 hours ago verified publisher icon elastic

[Zoom] OAuth scopes in documentation do not match latest available scopes provided by Zoom

Open spong opened this issue 1 year ago • 9 comments

Bug Description

In setting up the Zoom connector to test with the latest Security Assistant Knowledge Base features, it was noted that the scopes detailed in the Zoom connector documentation do not match any of the available scopes provided by Zoom.

Looking through the Zoom OAuth Scopes documentation, as far as I can tell this isn't a privilege issue on my end, but perhaps a compatibility change with the introduction of granular and optional scopes on 21-MAR-2024.

The required OAuth scopes detailed in our documentation are as follows:

user:read:admin
meeting:read:admin
chat_channel:read:admin
recording:read:admin
chat_message:read:admin
report:read:admin

And searching for any of these scopes in the Add Scopes interface when setting up your Zoom app will return no matches. E.g.

In going through all the scopes, the below are the best matches I could find to those recommended in the docs:

After completing the App configuration and activating the app, I created the Zoom connector in Kibana and while the sync was successful, it failed to sync any data. This is the output from the connector logs:

To Reproduce

Steps to reproduce the behavior:

  1. Create Server-To-Server OAuth Zoom App as detailed in the Zoom connector docs
  2. Take note that Scopes are different than detailed in docs, and select nearest matching scopes
  3. Activate Zoom app, and install Zoom connector
  4. Take note that no data is synced

Expected behavior

  • Scopes detailed in docs should be the latest available in the Zoom app setup (or if this is an auth issue, a note should mention this)
  • Data should sync given base scopes

Environment

Running Kibana/ES/Connectors from source, on main branch.

spong avatar Sep 11 '24 15:09 spong

Hi @spong,

While creating the new Server-to-Server OAuth application permission, we now need to select the granular permissions https://developers.zoom.us/docs/integrations/oauth-scopes-overview/.

Here is the new permissions that you can use in place of the old ones:

Old Permissions (scopes) New Permissions (granular scopes)
user:read:admin user:read:list_users:admin
meeting:read:admin meeting:read:list_meetings:admin, meeting:read:list_past_participants:admin
recording:read:admin cloud_recording:read:list_user_recordings:admin
chat_channel:read:admin team_chat:read:list_user_channels:admin
chat_message:read:admin team_chat:read:list_user_messages:admin

moxarth-rathod avatar Sep 23 '24 09:09 moxarth-rathod

Thank you @moxarth-elastic -- I will give this a try later this week and report back 👍

spong avatar Sep 25 '24 02:09 spong

So yeah, looks like my developer account does not have access to those scopes:

I didn't see anywhere in the zoom docs where it mentions their admin features for limiting scopes of app developers. I will check with IT and see what they have to say on their end. With the scopes I currently have there's not much I can do with the connector unfortunately 😔

I do have access to cloud_recording:read:list_account_recordings:admin vs cloud_recording:read:list_user_recordings:admin, so maybe I can at least sync recording information? Will the connector pull data for whatever scopes it has access to, or is its syncing hardcoded and reliant on these exact scopes?

Either way, we'll need to update the docs with the above granular scopes. Do we need to create another issue for that, or is that change made in the connectors repo?

spong avatar Sep 25 '24 23:09 spong

So yeah, looks like my developer account does not have access to those scopes: I didn't see anywhere in the zoom docs where it mentions their admin features for limiting scopes of app developers. I will check with IT and see what they have to say on their end. With the scopes I currently have there's not much I can do with the connector unfortunately 😔

Seems like you don't have enough permissions to view these permissions, refer this for more info https://developers.zoom.us/docs/internal-apps/#enable-the-server-to-server-oauth-role

I do have access to cloud_recording:read:list_account_recordings:admin vs cloud_recording:read:list_user_recordings:admin, so maybe I can at least sync recording information?

I think you should give it a try since we didn't have a Pro account to test this, apart from recordings, other objects are fetched and ingested successfully with the above mentioned permissions.

Will the connector pull data for whatever scopes it has access to, or is its syncing hardcoded and reliant on these exact scopes?

The connector requires a minimum scope of "user:read:list_users:admin" to fetch data, and once that scope is available, it can dynamically fetch data for additional scopes.

Either way, we'll need to update the docs with the above granular scopes. Do we need to create another issue for that, or is that change made in the connectors repo?

The doc changes are yet to done, once you verify the permissions from your end; we can ask @leemthompo to update the documentation.

moxarth-rathod avatar Sep 26 '24 10:09 moxarth-rathod

The connector requires a minimum scope of "user:read:list_users:admin" to fetch data, and once that scope is available, it can dynamically fetch data for additional scopes.

Ok, this is good to know. I've asked IT to ensure this specific scope is enabled for my account. I tried again just in case and it's indeed failing on that initial https://api.zoom.us/v2/users?page_size=300 request:

Image

spong avatar Sep 26 '24 19:09 spong

So doesn't look like I'll be able to get the necessary scopes at the moment, so I won't be able to confirm further at this time. So perhaps we just update the docs with the new scopes you've provided? I think it would be useful to call out that the connector requires a minimum scope of user:read:list_users:admin to fetch data as well.

spong avatar Oct 02 '24 20:10 spong

@moxarth-elastic FYI you can edit https://github.com/elastic/elasticsearch/edit/main/docs/reference/connector/docs/connectors-zoom.asciidoc directly now and open a PR

leemthompo avatar Oct 03 '24 07:10 leemthompo

@moxarth-elastic FYI you can edit https://github.com/elastic/elasticsearch/edit/main/docs/reference/connector/docs/connectors-zoom.asciidoc directly now and open a PR

Thanks! I'll raise a PR myself then 👍

moxarth-rathod avatar Oct 03 '24 07:10 moxarth-rathod

@moxarth-elastic FYI you can edit https://github.com/elastic/elasticsearch/edit/main/docs/reference/connector/docs/connectors-zoom.asciidoc directly now and open a PR

@leemthompo i've updated the doc, here is the PR: https://github.com/elastic/elasticsearch/pull/113994. Could you please check the CI?

moxarth-rathod avatar Oct 03 '24 08:10 moxarth-rathod

@leemthompo i've updated the doc, here is the PR: elastic/elasticsearch#113994. Could you please check the CI?

@spong Doc PR is merged so closing this issue, feel free to open the issue in case of any queries.

moxarth-rathod avatar Oct 10 '24 06:10 moxarth-rathod

@moxarth-elastic there was an open question about how far that update should be backported

leemthompo avatar Oct 10 '24 10:10 leemthompo

@moxarth-elastic there was an open question about how far that update should be backported

Yes, here is the answer for that comment - https://github.com/elastic/elasticsearch/pull/113994#issuecomment-2398888726.

moxarth-rathod avatar Oct 10 '24 10:10 moxarth-rathod