Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


    • Recent Topics

    • Setting default From address when replying to request

      At the moment, if I want to reply to a request, the From field has three options, company@zohosupport.com, support@company.zohosupport.com, and support@company.com.  The first two are really internal address that should never be seen by the customer and
    • Auto-Create OneDrive Folder Structure Upon Lead Creation

      Hello, New to Zoho and looking for help on a critical process automation I'm looking to implement. My company currently utilizes OneDrive for file management and the folder structure is Proposals -> Client Name -> Address (where I need to initially create
    • 🔍 How to effectively organize data in a CRM? – My approach and questions for you

      Dear ZOHOssians! While working on organizing data in a CRM, I decided to use the native modules: Leads, Deals, Contacts, and Accounts as a solid foundation for managing processes. However, I’m now exploring the next steps and considering various options
    • Stock Count

      The stock count is a nice new feature, but we cannot figure out how to: 1. Use it without assigning to a person, we have a team or one of multiple do stock counts as do most any company. 2. Add any extra fields to what the "counter" sees. The most important
    • Annoying Pop-Up Zoho Advertisements and Announcements Within Apps

      It is beyond frustrating to have to close out Zoho's announcements for Webinars, Zoholics, updates, events, etc while working within ANY of the Zoho apps. I see it when accessing Zoho One, Cliq, Creator, and CRM. Zoho boasts to be a professional solution
    • Images uploaded onto text notes through the mobile app won't render

      When uploading am image onto a text note, exiting the note and going back in, the image is gone and shows an error icon in its place, and also won't display directly on other devices, including on the desktop version. Uploading the same image on the same
    • Marking a Desk ticket as Unread after merge

      We have a custom script that runs against every new ticket and auto-merges it with any existing ticket that matches our criteria. That works fine but there is no functionality that reverts the newly-updated ticket back to an "unread" state. I found the
    • Trying to do commission tracking with zoho crm, can i do a Lookup against multiple fields in a module?

      So i'm still designing my zoho one crm as i come over from salesforce. One of the things i'm trying to build is a commission tracking module. At some point i'll probably hire someone to help with custom code, I'm just proof of concepting it. I"m not sure
    • Internal Support and Assigning Tickets

      I want to set up an Internal Desk Support system. Here is what I need... We need our internal "Support" staff to be the Ticket Owner We need to be able to identify who the "Account Manager" is on that client and get emails as part of the ticket. I'd like
    • Filter a Zoho Creator main report by a field and display other related reports in sections on a Zoho Creator page

      Hi, How can I filter a Zoho Creator main report by a field and display other related reports in sections on a Zoho Creator page? Part of what I was given below is setting up sub-reports, but the subform field prompted me to link a form, not a report.
    • FAQs on Approval Process - Post your Questions

      Dear All, Greetings! Approval process allows to validate records and streamline the process across organization to ensure a systematic approach. To resolve your probable queries, we are constantly gathering relevant FAQs and publishing them to address
    • Recurring Events Not Appearing in "My Events" and therefore not syncing with Google Apps

      We use the Google Sync functionality for our events, and it appears to have been working fine except: I've created a set of recurring events that I noticed were missing from my Google Apps calendar. Upon further research, it appears this is occurring
    • Introducing Social Toolkit

      Hi everyone, We're thrilled to launch Social Toolkit, a one-stop dashboard to help take your social media presence to new levels by letting you create aesthetic profiles and share content that your audience will actually enjoy engaging with. Social Toolkit
    • Requesting a file upload in Zoho Workplace not possible?

      I’m new to Zoho Workplace and am mostly liking it. However, it seems as though collecting/requesting documents is not available in the workplace version of WorkDrive. Am I missing something, or would I need to subscribe separately to another WorkDrive
    • Poor Email Delivery

      Our company used Zoho about 2 years ago and always had trouble understanding why a great deal of our emails from Zoho CRM and Zoho Marketing Automation ended up in the recipient's spam folder regardless of the email content and despite having our domain
    • No table view in "All departmens" mode

      Hello, I would like to have an overview of all tickets, so I have to switch to "all departments". But here I don't have the possibility to activate the table view. But this is mandatory, so that I can see certain fields without having to open each ticket
    • Where to Map Candidate fields to Employee fields in Zoho People 5.0

      I can not find options anywhere on Zoho people 5.0 where I can choose how the data fields are mapped from the candidate form to the onboarding form
    • Get Creator Form Record ID and Subform ID's

      Good Afternoon everyone. I have a Creator form with a on success workflow. I'm trying to get the form record ID and the subform record ID(s) but they keep coming up null. There is data in the subform I use it elsewhere. Can anyone help me pull the ID's.
    • WhatsApp and Zoho Creator Integration

      How we have integrate WhatsApp App with Zoho Creator without using external application ?
    • Guidance on Making Zoho Desk Connections Available for All Data Centers

      Hi Team, I’m currently developing an application using Zoho Desk connections to manage OAuth for my third-party products. Could you please advise on the steps required to make it available across all data centers? Looking forward to your thoughts on
    • Can we create Sprint with tasks from Multiple projects?

      Hi Team, We were using Zoho Sprints for quite sometime. Currently we have started the process of Sprint method. We couldnt create the active sprint board with the tasks from multiple projects. I would like to know whether this is possible or Any timeline
    • Ability to use Dynamic goals in Motivator

      Is there any way to create dynamic goals in Zoho Motivator? By "dynamic" I mean: not the same target every period, but varying from period to period. For example, in our organization, sales reps are supposed to target beating the same month's sales last
    • Using Snippets in Comments

      One of our Agents asked about using snippets in comments. We don't see this as an option at this time, only in reply mode. Is there a way to enable this?
    • Calendar - "super compact" week view

      every time i go to my calendar i have to re-engage the "super-compact view" for the week view...is there a way to make "super-compact" a default view so I dont have to keep on setting it manually?
    • zoho calendar week view - "super compact by default"

      every time i go to my calendar i have to re-engage the "super-compact view" for the week view...is there a way to make "super-compact" a default view so I dont have to keep on setting it manually?
    • CRM portal: no Create/Edit options available for custom module

      I'm experimenting with setting up a CRM portal. I'm not able to select Create and Edit permissions for a custom module, even though the data sharing settings for this module has been set to Public Read/Write/Delete. What other settings do I need to enable
    • Which are the IP addresses to use for 'split delivery' with Office 365? (Zoho mail inbound gateway)

      Hi, I'm trying to set up 'split delivery' (email routing) with Office 365. I'm following the instructions to set up Office 365 as the primary server (https://www.zoho.com/mail/help/adminconsole/coexistence-with-office365.html) One of the prerequisites
    • Allow submitter to type a choice in a 'Multiple Choice' field

      Is there any way to allow the person filling out a form to manually type in a choice in the 'Multiple Choice' field? So like have the option of allowing the last field to be 'Other' with an input field...
    • How to Add Portal Users in Zoho Creator's Development Environment for Testing?

      Hello, I’m working on a Creator app with a customer portal and implementing filters based on the logged-in user (customer). To test these filter functions, I'd like to simulate or add customer portal users in the development environment/database. Is there
    • Mapping a custom picklist to another picklist when creating a connected record with a workflow

      Hi, I have some workflows that move records between pipelines, the issue is that when setting up the workflow that creates the connected record, there is no option to map the value from a picklist in one pipeline to another. Please watch: https://www.loom.com/share/4e5fa969b21043748414154c036cdd47?sid=dca0fd16-73f2-4fe6-a9d3-7a4c0c40c2e6
    • Initiate data import using Deluge script

      Is it possible to open the screen to begin the importing of new records using Deluge? So for example, my users would click a button on a form that starts a workflow action. This action would then open the screen to "Import Data for Current User Projects".
    • Whats App Automation

      It would be nice to be able to send out an automated whats app message template on moving stages or creation of a ticket (same as you can do for automated emails). Currently only automated emails can be sent. Also, if whats app could be used more effectively
    • Unable to add organization consultants and contractors in Zoho People

      Hello Team: I am unable to add my few consultants and contractors in Zoho People. How to add these people as Users?
    • Lookup field - Can I avoid using advanced search?

      I have a lookup field in my app that has surpassed 500,000 records, now basic search is disabled and I'm forced to use advanced search. That adds multiple steps to what used to be very simple. Before: Select field > Type last digits of product code and
    • Forced Tooltip on Maps View

      Please remove the forced tool tip data points and ONLY include those listed in the "Include Columns for Tooltip" area. Also, disable the tool tip if no fields in there. With a lat/lng map, it forces showing those (and color field, lat count) and will
    • Last sync date/time as a widget

      Is there any way to get the last date/time that the data shown (reports and dashboard) was last updated. For example, If I have our data being synced every 3 hours and the last was done 2 hrs ago, I would like to show date/time of update OR updated #{hrs}
    • Function #19: Associate invoice templates automatically based on branch

      Much like the custom function we shared last week, today's function also aims to facilitate the automatic association of invoice templates. When you're managing business operations across various branches, there may be a need to create and send invoices
    • how to create view in leads module to that will show all leads + converted leads?

      is it possible to make custom view that combine all leads + converted leads? how to do that
    • Milestone

      New to Zoho and trying to get acquainted. According to PMI a milestone "anticipates what the project is supposed to achieve at a pre-set date. It should describe a desired state of affairs, a desired future situation. There are two important aspects to this. First, the concept refers to a point in time, not a period of time. Second, it looks forward to what we want to create, not how we create it." Why are Zoho milestones defined between two dates and as bins for tasks? Why would you even consider
    • How to send mail with js SDK

      Hell o I'm using https://live.zwidgets.com/js-sdk/1.2/ZohoEmbededAppSDK.min.js, for my widget in CRM (built with sigma) Is it possible to send email from js file, I try ti use that ZOHO.CRM.API.sendMail({ "Entity": "Accounts", "RecordID": sharedVariableEntityId,
    • Next Page