Kaizen #3 - Scopes in OAuth2.0 Authorization #API

Kaizen #3 - Scopes in OAuth2.0 Authorization #API

Hello Everyone!

Welcome to another week of Kaizen. We hope you find this series of posts useful. Please share your feedback in the comments section and keep the discussion going. 

In the last kaizen post, we discussed the OAuth2.0 protocol and Self Client. There are two types of clients in OAuth 2.0—self client and web-based applications. 

What you will learn from this post?

In this post, we are going to explore different facets of "Scopes in OAuth2.0 Authorization" in detail. Towards the end of this post, we will see various errors related to scopes, and how you can handle them. 

Role of scopes in OAuth2.0

To use the Zoho CRM APIs, you must authenticate the client(either self client or web-based application) to make API calls on your behalf with an access token. 

The access token, in return, must be obtained from a grant token (authorization code).

Zoho CRM APIs grant access to the CRM data, only if you provide a legitimate access token.

Based on the client-type, there are two different ways to generate grant token:

a. For web-based applications

Web-based applications are chosen when it requires user intervention while authorizing your application. Now, let us see how the OAuth2.0 protocol is implemented for web-based applications.

Step 1: The web application redirects the user to the OAuth server.
Step 2: The user sees the authorization prompt and approves the app's request as shown in the below image.


Step 3: The user is redirected back to the application with an authorization code in a query  string.


Step 4: The application exchanges the authorization code for an access token.

As you can see, this involves user intervention while authorizing your application. 

In the above explanation, in Step 2, the user will authorize the set of permissions for which the token has to be generated. 


b. For self client

In our last kaizen post, in Step 5a, you must enter the set of permissions for which the token has to be generated for a self client.



These sets of permissions you define, before you generate a token are called scopes

Scopes play a major role in OAuth2.0 Authentication. It is required for both self-client and web-based applications. 




A. What is a scope in Zoho CRM?

The word scope translates to range or extent. In OAuth2.0, scopes define the liberty of a self client/ web application on a particular resource(data in Zoho CRM). The scope controls three aspects:

  • The resource to which the client application gains access. Example: Users, Modules, Files, and so on.
  • The client application.
  • The different types of operations that the client application can perform on that particular resource. Example: ALL, READ, WRITE, CREATE, UPDATE, DELETE.
B. How do scopes work?

The access and refresh tokens are generated based on the scopes you provide. 

Based on the token, the system decides whether you have access to perform a certain operation on a particular resource. Thus, there is no room left for data theft, loss, or corruption. For example, with a token that is generated just to view records, you cannot perform the update record operation.

C. Scope Format

The format to define a scope is:
scope=service_name.scope_name.operation_type

The scope consists of three components:
  • service_name - Service name will always be ZohoCRM.
  • scope_name - In scope name, mention the specific resource(data in Zoho CRM) for which the permissions are being defined. It can be settings, modules, users, org, bulk, notification, or coql.
  • operation_type - In operation type, mention what types of operations can be performed on that resource. The following table defines the different operation types in scope:
Operation Type
HTTP Method
Description
READ
GET
The user can just read the data.
CREATE
POST
The user can create records.
WRITE
POST, PUT, DELETE
The user can create, update, and delete the records.
UPDATE
PUT
The user can update the existing records.
DELETE
DELETE
The user can delete the records
ALL
GET, POST, PUT, DELETE
The user can read, create, update, and delete the records.
CUSTOM
It depends on how it is defined in the API.
User-defined, for instance, permission to send emails to leads.

Note:
  • If you give operation type as WRITE in your scope, it is implicitly understood that you are granting permission to CREATE, UPDATE, and DELETE records.
  • Similarly, if you give operation type as ALL in your scope, it is implicitly understood that you are granting permission to READ, CREATE, UPDATE, and DELETE records.
D. Types of scopes

Based on the scope and methods, scopes are broadly differentiated into two types:
  • Sub-scopes
  • Group Scopes
a. Sub-scopes

Here the permission is defined for a specific resource. For instance, if you want to define permissions for leads and contacts modules, the scopes will be:
ZohoCRM.modules.leads.ALL
ZohoCRM.modules.contacts.ALL

Format
scope=service_name.scope_name.sub_scope_name.operation_type

The following table gives you the data about the scopes and different sub scopes. Along with each sub-scope, you can view which resource it is associated with:



Scopes
Sub scopes
settings- This scope usually provides access to metadata and the information on the set-up page of Zoho CRM. 
territories - Data about Territory Management.
custom_views - Data about custom_views created by users in all the modules.
related_lists - Data about related_lists.
modules - Metadata of all the modules.
variables - Data about CRM Variables.
tags - Data about tags.
tab_groups - Data about the tab groups in Zoho CRM.
fields - Data about fields in all the modules.
layouts - Data about layouts in all the modules.
macros - Data about macros operations.
custom_links - Data about the custom links.
custom_buttons - Data about the custom buttons.
roles - Data about roles in your organization.
profiles - Data about profiles in your organization.
organization - Data about your organization.

modules- This scope gives access to all the modules in Zoho CRM.
approvals - Data in the 'My Jobs' tab.
leads
accounts
contacts
deals
campaigns
tasks - Part of the 'Activities' module.
cases
events - Part of the 'Activities' module.
calls - Part of the 'Activities' module.
solutions
products
vendors
pricebooks
quotes
salesorders
purchaseorders
invoices
custom - Scopes cannot be configured for individual custom modules. Use this method for all custom modules.
dashboard - Data on the dashboard page.
notes - Data about notes in each record.
activities - Data about events, calls, and tasks.
Apart from the above two, other scopes are– 
  • users - Data about individual users in Zoho CRM. For more information, refer to Users API.
  • org - Data about your organization. For more information, refer to Organization API.
  • bulk - Permissions to perform bulk operations. For more information, refer to Bulk API.
  • notification - Permissions to send/receive instant notifications of actions performed on a module. For more information, refer to Notification API.
  • coql - Permissions to write your queries. For more information, refer to Query API.
b. Group Scopes

Format
scope=service_name.scope_name.operation_type

Imagine that you need to set permissions for all the modules. With sub-scopes, you must enter the following list of scopes—
ZohoCRM.modules.leads.ALL,ZohoCRM.modules.accounts.ALL,ZohoCRM.modules.contacts.ALL,ZohoCRM.modules.deals.ALL,ZohoCRM.modules.campaigns.ALL,ZohoCRM.modules.tasks.ALL,ZohoCRM.modules.cases.ALL,ZohoCRM.modules.events.ALL,ZohoCRM.modules.calls.ALL,ZohoCRM.modules.solutions,ZohoCRM.modules.products,ZohoCRM.modules.vendors,ZohoCRM.modules.pricebooks,ZohoCRM.modules.quotes,ZohoCRM.modules.salesorders,ZohoCRM.modules.purchaseorders,ZohoCRM.modules.invoices,ZohoCRM.modules.custom.

This is both cumbersome and exposing all these details in UI is not advisable. Thus, we came up with group scopes. With group scopes, you can define a set of permissions for a collective resource set. So, if you need to set permissions for modules, you can define the scope as:

ZohoCRM.modules.ALLThis gives the user access to perform all operations in all the modules in Zoho CRM.




E. Possible Errors

Error Code
Reason
Strategy to handle 
INVALID_SCOPE
The scope value is invalid.
Check the service name, scope name, and the sub-scope.
INVALID_OPERATION_TYPE
The operation type is invalid.
Ensure you have defined the operation type correctly. It must be either—READ, CREATE, WRITE, UPDATE, DELETE, ALL, or CUSTOM.
OAUTH_SCOPE_MISMATCH
The operation you performed does not have the required scope.
Check if the operation you are trying to perform is allowed in the scopes defined or not.

Note:

The INVALID_SCOPE and INVALID_OPERATION_SCOPE errors might be thrown while generating a grant token. The OAUTH_SCOPE_MISMATCH error might be thrown while you make an API call.

F. How to revoke access?

As mentioned earlier in this post, tokens are generated based on the scopes. 

There are two use-cases here. 

a. If you are a user who wants to revoke the access given to any web-application, then it has to be done via accounts web UI. 

To revoke the access:


Step 2: Choose 'Active Authtokens'.

Step 3: Click on 'Connected Apps'. Here you will be able to see all the active applications, click on the delete button to revoke access. 




b. If you are a client/developer, to revoke permissions for your self-client, you must revoke the access and refresh tokens.

You cannot revoke the access token as it expires after an hour of its generation.
To revoke the refresh token, make a POST request with the following URL:
"{{Accounts_URL}}/oauth/v2/token/revoke?token={refresh_token}"

Note that you must use domain-specific Zoho Accounts URL to revoke your refresh token. 

We will meet you next week with another useful topic. 

Cheers!

Previous 'Kaizen' - OAuth2.0 and Self Client #API
Next 'Kaizen' - Troubleshooting OAuth2.0




























    Access your files securely from anywhere

        Zoho Developer Community




                                  Zoho Desk Resources

                                  • Desk Community Learning Series


                                  • Digest


                                  • Functions


                                  • Meetups


                                  • Kbase


                                  • Resources


                                  • Glossary


                                  • Desk Marketplace


                                  • MVP Corner


                                  • Word of the Day



                                      Zoho Marketing Automation


                                              Manage your brands on social media



                                                    Zoho TeamInbox Resources

                                                      Zoho DataPrep Resources



                                                        Zoho CRM Plus Resources

                                                          Zoho Books Resources


                                                            Zoho Subscriptions Resources

                                                              Zoho Projects Resources


                                                                Zoho Sprints Resources


                                                                  Qntrl Resources


                                                                    Zoho Creator Resources



                                                                        Zoho Campaigns Resources


                                                                          Zoho CRM Resources

                                                                          • CRM Community Learning Series

                                                                            CRM Community Learning Series


                                                                          • Kaizen

                                                                            Kaizen

                                                                          • Functions

                                                                            Functions

                                                                          • Meetups

                                                                            Meetups

                                                                          • Kbase

                                                                            Kbase

                                                                          • Resources

                                                                            Resources

                                                                          • Digest

                                                                            Digest

                                                                          • CRM Marketplace

                                                                            CRM Marketplace

                                                                          • MVP Corner

                                                                            MVP Corner





                                                                              Design. Discuss. Deliver.

                                                                              Create visually engaging stories with Zoho Show.

                                                                              Get Started Now