Kaizen #3 - Scopes in OAuth2.0 Authorization #API
Hello Everyone!
Welcome to another week of Kaizen. We hope you find this series of posts useful. Please share your feedback in the comments section and keep the discussion going.
In the last kaizen post, we discussed the OAuth2.0 protocol and Self Client. There are two types of clients in OAuth 2.0—self client and web-based applications.
What you will learn from this post?
In this post, we are going to explore different facets of "Scopes in OAuth2.0 Authorization" in detail. Towards the end of this post, we will see various errors related to scopes, and how you can handle them.
Role of scopes in OAuth2.0
To use the Zoho CRM APIs, you must authenticate the client(either self client or web-based application) to make API calls on your behalf with an access token.
The access token, in return, must be obtained from a grant token (authorization code).
Zoho CRM APIs grant access to the CRM data, only if you provide a legitimate access token.
Based on the client-type, there are two different ways to generate grant token:
a. For web-based applications
Web-based applications are chosen when it requires user intervention while authorizing your application. Now, let us see how the OAuth2.0 protocol is implemented for web-based applications.
Step 1: The web application redirects the user to the OAuth server.
Step 2: The user sees the authorization prompt and approves the app's request as shown in the below image.
Step 3: The user is redirected back to the application with an authorization code in a query string.
Step 4: The application exchanges the authorization code for an access token.
As you can see, this involves user intervention while authorizing your application.
In the above explanation, in Step 2, the user will authorize the set of permissions for which the token has to be generated.
b. For self client
In our last kaizen post, in Step 5a, you must enter the set of permissions for which the token has to be generated for a self client.
These sets of permissions you define, before you generate a token are called scopes.
Scopes play a major role in OAuth2.0 Authentication. It is required for both self-client and web-based applications.
A. What is a scope in Zoho CRM?
The word scope translates to range or extent. In OAuth2.0, scopes define the liberty of a self client/ web application on a particular resource(data in Zoho CRM). The scope controls three aspects:
- The resource to which the client application gains access. Example: Users, Modules, Files, and so on.
- The client application.
- The different types of operations that the client application can perform on that particular resource. Example: ALL, READ, WRITE, CREATE, UPDATE, DELETE.
B. How do scopes work?
The access and refresh tokens are generated based on the scopes you provide.
Based on the token, the system decides whether you have access to perform a certain operation on a particular resource. Thus, there is no room left for data theft, loss, or corruption. For example, with a token that is generated just to view records, you cannot perform the update record operation.
C. Scope Format
The format to define a scope is:
scope=service_name.scope_name.operation_type
The scope consists of three components:
- service_name - Service name will always be ZohoCRM.
- scope_name - In scope name, mention the specific resource(data in Zoho CRM) for which the permissions are being defined. It can be settings, modules, users, org, bulk, notification, or coql.
- operation_type - In operation type, mention what types of operations can be performed on that resource. The following table defines the different operation types in scope:
Operation Type | HTTP Method | Description |
READ | GET | The user can just read the data. |
CREATE | POST | The user can create records. |
WRITE | POST, PUT, DELETE | The user can create, update, and delete the records. |
UPDATE | PUT | The user can update the existing records. |
DELETE | DELETE | The user can delete the records |
ALL | GET, POST, PUT, DELETE | The user can read, create, update, and delete the records. |
CUSTOM | It depends on how it is defined in the API. | User-defined, for instance, permission to send emails to leads. |
Note:
- If you give operation type as WRITE in your scope, it is implicitly understood that you are granting permission to CREATE, UPDATE, and DELETE records.
- Similarly, if you give operation type as ALL in your scope, it is implicitly understood that you are granting permission to READ, CREATE, UPDATE, and DELETE records.
D. Types of scopes
Based on the scope and methods, scopes are broadly differentiated into two types:
- Sub-scopes
- Group Scopes
a. Sub-scopes
Here the permission is defined for a specific resource. For instance, if you want to define permissions for leads and contacts modules, the scopes will be:
ZohoCRM.modules.leads.ALL
ZohoCRM.modules.contacts.ALL
Format
scope=service_name.scope_name.sub_scope_name.operation_type
The following table gives you the data about the scopes and different sub scopes. Along with each sub-scope, you can view which resource it is associated with:
Scopes | Sub scopes |
settings- This scope usually provides access to metadata and the information on the set-up page of Zoho CRM. | territories - Data about Territory Management. custom_views - Data about custom_views created by users in all the modules. related_lists - Data about related_lists. modules - Metadata of all the modules. variables - Data about CRM Variables. tags - Data about tags. tab_groups - Data about the tab groups in Zoho CRM. fields - Data about fields in all the modules. layouts - Data about layouts in all the modules. macros - Data about macros operations. custom_links - Data about the custom links. custom_buttons - Data about the custom buttons. roles - Data about roles in your organization. profiles - Data about profiles in your organization. organization - Data about your organization. |
modules- This scope gives access to all the modules in Zoho CRM. | approvals - Data in the 'My Jobs' tab. leads accounts contacts deals campaigns tasks - Part of the 'Activities' module. cases events - Part of the 'Activities' module. calls - Part of the 'Activities' module. solutions products vendors pricebooks quotes salesorders purchaseorders invoices custom - Scopes cannot be configured for individual custom modules. Use this method for all custom modules. dashboard - Data on the dashboard page. notes - Data about notes in each record. activities - Data about events, calls, and tasks. |
Apart from the above two, other scopes are–
- users - Data about individual users in Zoho CRM. For more information, refer to Users API.
- org - Data about your organization. For more information, refer to Organization API.
- bulk - Permissions to perform bulk operations. For more information, refer to Bulk API.
- notification - Permissions to send/receive instant notifications of actions performed on a module. For more information, refer to Notification API.
- coql - Permissions to write your queries. For more information, refer to Query API.
b. Group Scopes
Format
scope=service_name.scope_name.operation_type
Imagine that you need to set permissions for all the modules. With sub-scopes, you must enter the following list of scopes—
ZohoCRM.modules.leads.ALL,ZohoCRM.modules.accounts.ALL,ZohoCRM.modules.contacts.ALL,ZohoCRM.modules.deals.ALL,ZohoCRM.modules.campaigns.ALL,ZohoCRM.modules.tasks.ALL,ZohoCRM.modules.cases.ALL,ZohoCRM.modules.events.ALL,ZohoCRM.modules.calls.ALL,ZohoCRM.modules.solutions,ZohoCRM.modules.products,ZohoCRM.modules.vendors,ZohoCRM.modules.pricebooks,ZohoCRM.modules.quotes,ZohoCRM.modules.salesorders,ZohoCRM.modules.purchaseorders,ZohoCRM.modules.invoices,ZohoCRM.modules.custom.
This is both cumbersome and exposing all these details in UI is not advisable. Thus, we came up with group scopes. With group scopes, you can define a set of permissions for a collective resource set. So, if you need to set permissions for modules, you can define the scope as:
ZohoCRM.modules.ALL—This gives the user access to perform all operations in all the modules in Zoho CRM.
E. Possible Errors
Error Code | Reason | Strategy to handle |
INVALID_SCOPE | The scope value is invalid. | Check the service name, scope name, and the sub-scope. |
INVALID_OPERATION_TYPE | The operation type is invalid. | Ensure you have defined the operation type correctly. It must be either—READ, CREATE, WRITE, UPDATE, DELETE, ALL, or CUSTOM. |
OAUTH_SCOPE_MISMATCH | The operation you performed does not have the required scope. | Check if the operation you are trying to perform is allowed in the scopes defined or not. |
Note:
The INVALID_SCOPE and INVALID_OPERATION_SCOPE errors might be thrown while generating a grant token. The OAUTH_SCOPE_MISMATCH error might be thrown while you make an API call.
F. How to revoke access?
As mentioned earlier in this post, tokens are generated based on the scopes.
There are two use-cases here.
a. If you are a user who wants to revoke the access given to any web-application, then it has to be done via accounts web UI.
To revoke the access:
Step 1: Goto https://www.accounts.zoho.com.
Step 2: Choose 'Active Authtokens'.
Step 3: Click on 'Connected Apps'. Here you will be able to see all the active applications, click on the delete button to revoke access.
b. If you are a client/developer, to revoke permissions for your self-client, you must revoke the access and refresh tokens.
You cannot revoke the access token as it expires after an hour of its generation.
To revoke the refresh token, make a POST request with the following URL:
"{{Accounts_URL}}/oauth/v2/token/revoke?token={refresh_token}"
Note that you must use domain-specific Zoho Accounts URL to revoke your refresh token.
We will meet you next week with another useful topic.
Cheers!
Previous 'Kaizen' - OAuth2.0 and Self Client #API
Next 'Kaizen' - Troubleshooting OAuth2.0
Access your files securely from anywhere
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Sneha Sridharan
Sticky Posts
Client Script | Update - Introducing Commands in Client Script!
Have you ever wished you could trigger Client Script from contexts other than just the supported pages and events? Have you ever wanted to leverage the advantage of Client Script at your finger tip? Discover the power of Client Script - Commands! CommandsKaizen #165 : How to call Zoho CRM APIs using Client Script
Welcome back to another exciting Client Script post! In this post, we will discuss one of the most frequently asked questions: How do you call Zoho CRM APIs from Client Scripts? In this kaizen post, 1. Ways to make calls to Zoho CRM APIs using ClientKaizen#162 : Add Tags and Open Pre-filled Email Drafts via Client Scripts
Hello everyone! Welcome to another informative Kaizen post. In this post, let us see how to accomplish the following using Client Script. 1. How to auto-tag a record based on field update? 2. How to Open a pre-filled email draft This post will provideExtension Pointers - JS SDK series #4: Managing data from a widget using ZOHO.CRM.HTTP
Handling and managing the data between two applications is a major factor for an efficient business. There are a variety of ways to handle data between Zoho CRM and other third-party applications. You can use deluge CRM tasks, create connectors, use APIKaizen #152 - Client Script Support for the new Canvas Record Forms
Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho DataPrep Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho Campaigns Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Introducing automation and utility conversations in WhatsApp marketing
We’re excited to announce the addition of two new features to our WhatsApp integration: Automation and Utility conversations. These enhancements will allow you to streamline your marketing efforts and engage with your customers more effectively by automatingExtracting data from cells in zoho sheets for zoho books
I am currently uploading my bank statment in excel format to zoho workdrive. I would like flow to extract certain data and send it to zoho books. Would scripting in zoho flow be able to help me with this? By this I mean should I attempt this in zoho flowWithin the Basic KPI component in Analytics, it is impossible to set "next" day range as a filter
Hi there, I am currently setting up a deal dashboard for the Sales team. While it is possible to filter deal records to show records that were created LAST X days only, it looks like a NEXT X days Closing date filter is not available. Would it be possiblePulling Specific Products from Sales Orders in Books to a CRM Record
We currently process orders directly through our website (woocommerce) as well as through manual sales orders in zoho books. When an order comes through the website, all of the individual products from that order show up in the CRM record of that customer.Você já viu os cursos do Zoho Mind?
Pessoal, Tem uma plataforma da Zoho chamada Zoho Mind, muito interessante os cursos e vídeos tutoriais que lá possui. Para a turma do Zoho Creator, tem uma dica de Buscar dados em Formulário, segue o link e clique em Zoho Creator. https://www.zohomind.com.br/#/videostutoriaisComo gerar gatilhos para pagamento de impostos no Zoho Books?
Olá Pessoal, boa tarde! Gostaria de saber como vocês estão escriturando os impostos a pagar no Zoho Books. Vi que temos a opção de Bills, porém se eu escriturar nesta aba do Zoho Books para gerar lembretes de tempo de vencimento por exemplo vai refletirSubform Time field to string.
Good afternoon All. I have a Subform 'Delivery_Receiving_Hours' that captures Day (Dropdown), Time_Open (Time), and Time_Close (Time). I need to capture this data and send it to a multiline field in the CRM. The code, posted below, below will captureworkflow for bounced email gets triggered, but email is status = opened
Hello, I have a workflow that sends me an email if outgoing email are bounced. Now I got some kind of this emails, but the corrosponding contacts have status = open at the email. Why this bounce-workflow is triggered? Reports > Email Reports > BounceData export
I need to export our customer's data and projects' data for our purpose but am unable to export full data i only get around 3160 projects and around 2k customer can you please help me to get full data, pleaseAdjusting Physical Inventory
Not getting very far with support on this one, they say they are going to fix it but nothings happened since November. Please give this a thumbs up if you would like to see this feature or comment if you have some insight. Use Case: Inventory set to beZoho Marketing Plus : Un outil tout-en-un pour la création de pages, la collaboration et la gestion du calendrier marketing
Nous sommes ravis de vous présenter trois nouvelles fonctionnalités puissantes de Zoho Marketing Plus s’enrichit désormais d’un page web (l'éditeur de pages), qui vous permet de créer des pages attrayantes et à fort taux de conversion pour vos campagnesGrouping payments to match deposits
Is there a way to group multiple invoice payments together so they match credit card batches and grouped deposits in the bank account? Basically, we are creating invoices for each of our transactions, and applying a payment to each of the invoices. Our payments are either credit cards or checks. We want to be able to group payments together so when our bank account reflects a credit card batch made up of many transactions, or the deposit we took to the bank that has multiple checks from differentEmployees can not add some expenses suddenly
Zoho expense was working fine and whenever there was a new merchant, it would automatically add and also the same auto added in Zoho Books (due to merchant-vendor sync) untill now. From today, it is having problems in searching the existing vendors andZoho email setup in office365
When i am trying to setup zoho mail setup using my domain in office365 and it is not working and it says that we couldn't log on to the incoming (IMAP) server and please check your email address and password and try again. I was able to login using myiOS 10: Caller ID new feature?
Hi, in the update history of the iOS App (for iOS10) - v.3.2 - i found the point "caller identification" has this feature been deactivated again? i cannot find anything on my iphone on how to activate this feature. or does it just work from the beginning?Recommendations to store meeting notes for easy access from Contacts, Accounts & Deals module records?
I would like your advice on how to achieve this use case for my organization. It’s related to where/how best to store meeting notes from a conversation with Contact(s) working at an Account (Company) in the context of a Deal. The ideal solution (fromBank reconciliation. Match Transaction -filter
When matching an imported bank statement file we only get a match if it is an excact match on both amount and date. Then a suggestions comes up with a very broad selection regarding amount, and no default "between" dates. I can then go an manually adjust the filter, and have to put in from-to amounts and dates. How do I set a default from-to date? As an example, I would like the date to be +- 3 days, Thanks.Added new staff but does not appear in other organization list
Hi, I added the new staff under Sales Manager in the contacts, but it does not appear in the other organization list where I need to create a contact, and I can't select the newly added Sales ManagerIntegrating Calendly with Zoho Calendar in Zoho Mail
I moved my office into a business incubator space that uses Calendly for meeting management and events. Calendly doesn't have a integration with Zoho Calendar and vice versa. I was directed to Zapier for integration but it doesn't have an integrationMap fields from module X to a lookup field in subform in module Y
Hi there In the 1st screenshot attached, you can see a subform in myLeads module. You can see that there is a number already filled there - that is the 'Property ID' and it is a single line field. It is the 'Property ID' of an entry I have in another🎄 Jingle, Mingle, and Automate: Spread Christmas Cheer with Zoho Desk Auto-Replies! 🎄
Hello Everyone! Welcome to this week's episode of the Community Learning Series. Christmas is in the air, and I’m sure we can all feel the jingle and the mingle of the season! The folks at Zylker Techfix are no exception—they’re busy with holiday planshow to create a new line in string in Client Script?
I want to show an alert using client script, I need to add a new line in String, I assume I can use \n\n inside a string, but unfortunately it doesnt work ZDK.Client.showAlert("First Line \n\nI expect this is in second line");Surely it's time Inline editing from views
I think the first request I found for in-line editing from grids was approximately 12 years ago - that post was locked because it was suggested Zoho sheetview solved the problem. However, it's now 2024, and in-line editing from grids is just a basic expectation.Multi branding issue with sender addresses
Hello, I'm currently working on a project involving two (seperate) brands. Named 'Windeck' and 'Prolance'. They've chosen CRM Plus and I'm currently working on CRM, SalesIQ, Social and Marketing Automation. So far, I'm able to make enough separationsHow to Replace an Assessment in a Job Opening on Zoho Recruit
Hi everyone, I’m currently using Zoho Recruit and would like to replace the assessment linked to a specific job opening. I want to remove the existing assessment and add a new one. What is the best way to do this without losing any important data or affectingIs there API Doc for Zoho Survey?
Hi everyone, Is there API doc for Zoho Survey? Currently evaluating a solution - use case to automate survey administration especially for internal use. But after a brief search, I couldn't find API doc for this. So I thought I should ask here. ThanEmail Campaigns overview page is missing SENT DATE and # people sent to!
I would like to see the date the email campaign was sent, so I can understand and track when each email campaign was sent. Right now, unless you go to a contact who received a campaign, you cannot see when the campaign was sent (!!!!!!). So, if my bossSEO recommendation of H1 tag for website tittle
The exact words are “ It is good practice to place the page title inside the H1tag.” Now I already have one H1 tag on my website but it is not website tittle. In the SEO recommendation that is clear too that I have h1 tag on my page. Now I don’t knowHow to choose other payment methodes than creditcards
We have connected stripe as a payment provider in zoho books, booking, commerce and checkout. In stripe we selected al major payment methodes for Belgium (mainly bancontact). However, at checkout customers seems to have only the possibility to pay withIntroducing Zia LLM: Zoho’s in-house Generative AI solution for CRM's AI capabilities
Hello everyone, We're excited to announce the launch of our in-house Large Language Model (LLM) by Zia to power our AI offerings. What is LLM? LLM stands for Large Language Model, a powerful AI technology that processes and generates human-like text basedHow to call a Creator function which is in a different Creator application?
How to call a Creator function which is in a different Creator application?Can the code in my "Successful form submission" WF be invoked from a function?
Can "Successful form submission" be invoked from a function? Data gets into a form manually and programatically. My code in "successful form submission" is good and I want to reuse it/call it, from another function which does Insert Into How to achieveKaizen #169 - Serialization and Schema Management in Queries
Hello everyone! Welcome back to another post in the Kaizen series! In Kaizen #166, we discussed handling Variables in Queries and associating the query in Kiosk. This week, we will discuss Serialization and Schema management in Queries. Business ScenarioIntroducing Keyboard Shortcuts for Zoho CRM
Dear Customers, We're happy to introduce keyboard shortcuts for Zoho CRM features! Until now, you might have been navigating to modules manually using the mouse, and at times, it could be tedious, especially when you had to search for specific modulesFeature Request: Notebooks within notebooks (Tree-like structure)
Dear Zoho! I already migrated all my stuff from Google Keep, Im really fond of Zoho Notebook so far. One thing that could make the service much more powerful is multi-level notebooks (or tree like structure). For example, entering into Notebook namedCan't get authorization for Sandbox environment using the self client
Hello, After creating a self client, and following the client-credentials method (as it's not optimat to manually generate a code for every 10 minutes), after inputting the sandbox org id for SOID parameter, im getting the error: "error": "no_org". ForCreate landing pages from Zoho Marketing Plus
Hey everyone, Over the last few months, we've introduced various features and enhancements to bolster the marketing capabilities of Zoho Marketing Plus and make it simpler for everyone. To that end, we're excited to announce that Zoho LandingPage is nowCustom service report or Zoho forms integration
Hello, So far the experience with Zoho FSM and the integration with Books has been good, however there are limitations with service reports. As with my business, many organisations send technicians to different types of jobs that call for a differentEmail tracking subdomain
The Email Tracking configuration screen of the ZeptoMail asks for a subdomain. I have gone through the documentation but could not find more information about how that subdomain is used by ZeptoMail to track the emails. Can someone throw some light aboutChart View group X-axis values above a value
I have a data set with X values ranging from 0 up to 300-400, the Y values are an AVG of the values for the given X. I am interested in the values at the low end of the scale, say 0-10 and want the X values 10 and greater to be grouped into a single categoryNext Page