Unable to decrypt Zoom AppContext - InvalidTag Error

Question

We have a zoom in-client app, and as part of it - we are trying to decode a (url safe) Base64 encoded Zoom AppContext in the backend to identify the user. I’m getting an error when decrypting the Zoom App token in the backend. Logic & sample code is below:

    def decode_base64url(self, input_str):
        # Replace base64url characters with base64 equivalents
        input_str = input_str.replace('-', '+').replace('_', '/')
        # Pad with '=' to make the length a multiple of 4
        padding = len(input_str) % 4
        if padding > 0:
            input_str += '=' * (4 - padding)
        return base64.b64decode(input_str)


    def decrypt_zoom_app_context(self, context, secret_key=None):
        client_secret = settings.ZOOM_PLUGIN.get('SPEAKER').get('CLIENT_SECRET')
        context_bytes = self.decode_base64url(context)

        iv_length = context_bytes[0]

        iv = context_bytes[1:1 + iv_length]
        aad_length = int.from_bytes(context_bytes[1 + iv_length:3 + iv_length], byteorder='little')

        aad = context_bytes[3 + iv_length:3 + iv_length + aad_length]
        cipher_length = int.from_bytes(context_bytes[3 + iv_length + aad_length:7 + iv_length + aad_length], byteorder='little')

        cipher_text = context_bytes[7 + iv_length + aad_length:7 + iv_length + aad_length + cipher_length]
        tag = context_bytes[7 + iv_length + aad_length + cipher_length:]

        derive = HKDF(
            algorithm=hashes.SHA256(),
            length=32,
            salt=None,
            info=b'handshake data',
            backend=default_backend()
        )
        key = derive.derive(client_secret.encode())
        # Setup cipher
        cipher = Cipher(
            algorithms.AES(key),
            modes.GCM(iv, tag),
            backend=default_backend()
        )
        decryptor = cipher.decryptor()

        decryptor.authenticate_additional_data(aad)
        # decrypted = decryptor.update(cipher_text)
        decrypted = decryptor.update(cipher_text) + decryptor.finalize()

        return json.loads(decrypted.decode('utf-8'))

I’m getting the below error in decryptor.finalize()

    decrypted = decryptor.update(cipher_text) + decryptor.finalize()
                                                ^^^^^^^^^^^^^^^^^^^^
  File "/Users/arvind/venv/lib/python3.11/site-packages/cryptography/hazmat/primitives/ciphers/base.py", line 229, in finalize
    data = self._ctx.finalize()
           ^^^^^^^^^^^^^^^^^^^^
  File "/Users/arvind/venv/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/ciphers.py", line 200, in finalize
    raise InvalidTag
cryptography.exceptions.InvalidTag

Any help to identify the cause of InvalidTag Exception & move forward will help. Thanks

The intermediate debugging values look reasonable - ie iv has length 12, AAD is 0 length, cipher is 216 chars & tag 16 chars. Base64 encoded input was 335 length, with the decoded one 251.

To help reproduce, this one can decrypt_zoom_app_context with this one value I got from zoom below:

DGXwvj7p0Xbh7brIgAAA2AAAAEikLl9deBnPNlaABm9UNSyNOQttdQ9Lr9Nw9XDbhX09MtgaO_jAZkObkQDwjb13y-fB75FksOvhWJlKA_jiH5zq18Q4jrNUYigklz_syAKMDTu_k5L1eDRX_iMgjfAiIIh8r9uwzZp_oqIdiqEHYpm-8EF74B88Dnjx-lDmarqvz8dwi5RvajwqdQJVXDRqVNCOGz9JR90r1Fw75I9AKNDCOw7KeLja96ofIlA3f3tEbAU7ozDBQ63uosCaoqoU0lLi8sb8sRxRdQLaKHgZokyLewHLRNBeuEv_oQLQO6Qvtp8659xPo84