search

elastic / connectors

Source code for all Elastic connectors, developed by the Search team at Elastic, and home of our Python connector development framework
https://www.elastic.co/guide/en/enterprise-search/master/index.html
Other
71 stars 126 forks source link

[Zoom] OAuth scopes in documentation do not match latest available scopes provided by Zoom #2818

Open spong opened 2 weeks ago

spong commented 2 weeks ago

Bug Description

In setting up the Zoom connector to test with the latest Security Assistant Knowledge Base features, it was noted that the scopes detailed in the Zoom connector documentation do not match any of the available scopes provided by Zoom.

Looking through the Zoom OAuth Scopes documentation, as far as I can tell this isn't a privilege issue on my end, but perhaps a compatibility change with the introduction of granular and optional scopes on 21-MAR-2024.

The required OAuth scopes detailed in our documentation are as follows:

user:read:admin
meeting:read:admin
chat_channel:read:admin
recording:read:admin
chat_message:read:admin
report:read:admin

And searching for any of these scopes in the Add Scopes interface when setting up your Zoom app will return no matches. E.g.

In going through all the scopes, the below are the best matches I could find to those recommended in the docs:

After completing the App configuration and activating the app, I created the Zoom connector in Kibana and while the sync was successful, it failed to sync any data. This is the output from the connector logs:

To Reproduce

Steps to reproduce the behavior:

  1. Create Server-To-Server OAuth Zoom App as detailed in the Zoom connector docs
  2. Take note that Scopes are different than detailed in docs, and select nearest matching scopes
  3. Activate Zoom app, and install Zoom connector
  4. Take note that no data is synced

Expected behavior

Environment

Running Kibana/ES/Connectors from source, on main branch.

moxarth-elastic commented 3 days ago

Hi @spong,

While creating the new Server-to-Server OAuth application permission, we now need to select the granular permissions https://developers.zoom.us/docs/integrations/oauth-scopes-overview/.

Here is the new permissions that you can use in place of the old ones:

Old Permissions (scopes) New Permissions (granular scopes)
user:read:admin user:read:list_users:admin
meeting:read:admin meeting:read:list_meetings:admin, meeting:read:list_past_participants:admin
recording:read:admin cloud_recording:read:list_user_recordings:admin
chat_channel:read:admin team_chat:read:list_user_channels:admin
chat_message:read:admin team_chat:read:list_user_messages:admin
spong commented 1 day ago

Thank you @moxarth-elastic -- I will give this a try later this week and report back πŸ‘

spong commented 1 day ago

So yeah, looks like my developer account does not have access to those scopes:

I didn't see anywhere in the zoom docs where it mentions their admin features for limiting scopes of app developers. I will check with IT and see what they have to say on their end. With the scopes I currently have there's not much I can do with the connector unfortunately πŸ˜”

I do have access to cloud_recording:read:list_account_recordings:admin vs cloud_recording:read:list_user_recordings:admin, so maybe I can at least sync recording information? Will the connector pull data for whatever scopes it has access to, or is its syncing hardcoded and reliant on these exact scopes?

Either way, we'll need to update the docs with the above granular scopes. Do we need to create another issue for that, or is that change made in the connectors repo?

moxarth-elastic commented 16 hours ago

So yeah, looks like my developer account does not have access to those scopes: I didn't see anywhere in the zoom docs where it mentions their admin features for limiting scopes of app developers. I will check with IT and see what they have to say on their end. With the scopes I currently have there's not much I can do with the connector unfortunately πŸ˜”

Seems like you don't have enough permissions to view these permissions, refer this for more info https://developers.zoom.us/docs/internal-apps/#enable-the-server-to-server-oauth-role

I do have access to cloud_recording:read:list_account_recordings:admin vs cloud_recording:read:list_user_recordings:admin, so maybe I can at least sync recording information?

I think you should give it a try since we didn't have a Pro account to test this, apart from recordings, other objects are fetched and ingested successfully with the above mentioned permissions.

Will the connector pull data for whatever scopes it has access to, or is its syncing hardcoded and reliant on these exact scopes?

The connector requires a minimum scope of "user:read:list_users:admin" to fetch data, and once that scope is available, it can dynamically fetch data for additional scopes.

Either way, we'll need to update the docs with the above granular scopes. Do we need to create another issue for that, or is that change made in the connectors repo?

The doc changes are yet to done, once you verify the permissions from your end; we can ask @leemthompo to update the documentation.

spong commented 6 hours ago

The connector requires a minimum scope of "user:read:list_users:admin" to fetch data, and once that scope is available, it can dynamically fetch data for additional scopes.

Ok, this is good to know. I've asked IT to ensure this specific scope is enabled for my account. I tried again just in case and it's indeed failing on that initial https://api.zoom.us/v2/users?page_size=300 request:

Image