Org-specific OAuth2.0 Tokens in Zoho CRM
Hello everyone!
This post is to inform you that there is an update to the OAuth2.0 flow for CRM while generating the authorization code (grant token).
Web-based Clients
The Current Flow
- The user clicks the Login with Zoho button on any third-party app.
- The app redirects the user to the Zoho Login page, and the user enters the Zoho credentials.
- A pop-up, similar to the one below, appears asking for the user's consent that the app wants to access certain user data.
- When the user clicks the Accept button, Zoho Accounts redirects the user to the app with the authorization code (grant token) in the URL.
- Using this grant token, the app owner generates access and refresh tokens to access user's data.
- The app can use the same access and refresh token regardless of the environment (Production, Sandbox, or Developer) in which the user data is present. All the app owner has to do is change the API domain URL in the API requests.
In the current flow, the app owner can use a single access and refresh token for a user and make API calls to any environment. It is sufficient just to change the API domain URL in the API requests.
The New Flow
- The user clicks the Login with Zoho button on any third-party app.
- The app redirects the user to the Zoho Login page, and the user enters the Zoho credentials.
- A new pop-up, similar to the one below, appears to ask the user to choose the environment-specific org, such as Production, Sandbox, or Developer, whose data the app can access.
- The user selects one of the orgs from the available ones and clicks Submit.
- Zoho Accounts now takes the user to the consent page that displays the chosen org and the data (scope) that the app wants to access.
- When the user clicks Accept, Zoho Accounts redirects the user to the app with the authorization code in the URL.
- Using this grant token, the app owner generates access and refresh tokens to access user data specific to the environment.
In this flow, the user can choose to grant access to the application only to a particular org (either in the Production, Sandbox, or Developer instance of CRM). Therefore, the access and refresh token generated for a user becomes org-specific in an environment. For instance, the app cannot use tokens generated for an org in the Production environment to make API calls to the orgs in the sandbox or developer accounts.
Self Clients
The Current Flow
- Go to Zoho developer console.
- Choose your self client.
- Enter the scope, choose the time duration the authorization code is valid for, and enter a description.
- Click Create.
- The authorization code will be displayed.
- Use this code to generate access and refresh tokens.
Here, you can use the same access and refresh tokens to make API calls irrespective of the org or the environment. You must only change the API domain URL.
The New Flow
- Go to Zoho developer console.
- Choose your self client.
- Enter the scope, choose the time duration the authorization code is valid for, and enter a description.
- Click Create. A pop up displays the list of portals as shown below.
- Choose a portal. This displays the list of environments and different orgs under each environment.
- Select the org in an environment you want to generate the authorization code for.
- Click Generate. The authorization code will be displayed.
In this flow, the access and refresh tokens are specific to only the org and the environment they were generated for. You cannot use the org-specific tokens in an environment to make calls to another org in an environment.
Why are we making this change?
Increased security and restricted data access.
In this flow, the user can grant access to the app only to a particular org in an environment. Therefore, when the access token is breached, the data in the orgs under other environments are still safe.
Who should be concerned?
The application owners who use the same access and refresh tokens to make API calls to more than one environment, must ensure to use tokens specific to the org and the environment they were generated for.
This update will be opened to customers in phases from today (May 07, 2020).
Write to us at support@zohocrm.com if you have any questions.
Cheers!
Shylaja
Zoho CRM
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Shylaja S
Marco Carolli
Christopher Clement Soris J
Krunal Panchal
Praveen Sankar
Sticky Posts
Extension pointers for integrating Zoho CRM with Zoho products #8: Upload and manage Zoho Workdrive folders and files from within Zoho CRM
Keeping records on your customers and business prospects is essential for tracking data, conducting follow-ups, and running a business smoothly. When you use two separate applications, and store relevant data in each, checking and tracking data becomesExtension pointers: Handle cases with personalized solutions using custom actions
In our last post, we detailed the steps involved in creating a custom action and the workflow from the developer and end user's side. Now let's look at a working example of how we can create a custom action and implement it in a Zoho CRM account to makeExtension pointers - Simple yet significant pointers #13: On change of field value for CRM variables
CRM variables provide global access to a variable across an entire extension. They also help in the storage of user-specific data provided by the user at the time of installation, which can later be fetched to perform data functionalities. Additionally,Extension pointers: Extend end-user benefits and allow personalization by implementing extensions with custom actions
From our earlier post on custom actions, we know that we can create templated actions, share them with end users, and allow them to reuse those actions to achieve personalized outcomes. In this post, we'll look at how custom actions make it easy for usersExtension pointers - Simple yet significant pointers #12: Functions for Zoho CRM extensions
Functions are essential in achieving logical functionality for an extension. You can easily code your functions in Deluge using drag-and-drop tools to meet your requirements. How to create functions for Zoho CRM extensions in Sigma Go to Sigma and select
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho DataPrep Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho WorkDrive Resources
Zoho Campaigns Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー