Org-specific OAuth2.0 Tokens in Zoho CRM

Org-specific OAuth2.0 Tokens in Zoho CRM

Hello everyone!

This post is to inform you that there is an update to the OAuth2.0 flow for CRM while generating the authorization code (grant token).

Web-based Clients
The Current Flow
  1. The user clicks the Login with Zoho button on any third-party app.
  2. The app redirects the user to the Zoho Login page, and the user enters the Zoho credentials.
  3. A pop-up, similar to the one below, appears asking for the user's consent that the app wants to access certain user data.
  4. When the user clicks the Accept button, Zoho Accounts redirects the user to the app with the authorization code (grant token) in the URL.
  5. Using this grant token, the app owner generates access and refresh tokens to access user's data.
  6. The app can use the same access and refresh token regardless of the environment (Production, Sandbox, or Developer) in which the user data is present. All the app owner has to do is change the API domain URL in the API requests.

In the current flow, the app owner can use a single access and refresh token for a user and make API calls to any environment. It is sufficient just to change the API domain URL in the API requests.

The New Flow
  1. The user clicks the Login with Zoho button on any third-party app.
  2. The app redirects the user to the Zoho Login page, and the user enters the Zoho credentials.
  3. A new pop-up, similar to the one below, appears to ask the user to choose the environment-specific org, such as Production, Sandbox, or Developer, whose data the app can access.
  4. The user selects one of the orgs from the available ones and clicks Submit.
  5. Zoho Accounts now takes the user to the consent page that displays the chosen org and the data (scope) that the app wants to access.
  6. When the user clicks Accept, Zoho Accounts redirects the user to the app with the authorization code in the URL.
  7. Using this grant token, the app owner generates access and refresh tokens to access user data specific to the environment.
In this flow, the user can choose to grant access to the application only to a particular org (either in the Production, Sandbox, or Developer instance of CRM). Therefore, the access and refresh token generated for a user becomes org-specific in an environment. For instance, the app cannot use tokens generated for an org in the Production environment to make API calls to the orgs in the sandbox or developer accounts.

Self Clients

The Current Flow
  1. Go to Zoho developer console.
  2. Choose your self client.
  3. Enter the scope, choose the time duration the authorization code is valid for, and enter a description.
  4. Click Create.


  5. The authorization code will be displayed.
  6. Use this code to generate access and refresh tokens.

Here, you can use the same access and refresh tokens to make API calls irrespective of the org or the environment. You must only change the API domain URL.

The New Flow
  1. Go to Zoho developer console.
  2. Choose your self client.
  3. Enter the scope, choose the time duration the authorization code is valid for, and enter a description.
  4. Click Create. A pop up displays the list of portals as shown below.
  5. Choose a portal. This displays the list of environments and different orgs under each environment.
  6. Select the org in an environment you want to generate the authorization code for.

  7. Click Generate. The authorization code will be displayed.

In this flow, the access and refresh tokens are specific to only the org and the environment they were generated for. You cannot use the org-specific tokens in an environment to make calls to another org in an environment.

Why are we making this change?
Increased security and restricted data access.
In this flow, the user can grant access to the app only to a particular org in an environment. Therefore, when the access token is breached, the data in the orgs under other environments are still safe.

Who should be concerned?
The application owners who use the same access and refresh tokens to make API calls to more than one environment, must ensure to use tokens specific to the org and the environment they were generated for.

This update will be opened to customers in phases from today (May 07, 2020).


Write to us at support@zohocrm.com if you have any questions.

Cheers!
Shylaja
Zoho CRM









          Zoho TeamInbox Resources

            Zoho DataPrep Resources


                Zoho CRM Plus Resources

                  Zoho Books Resources


                    Zoho Subscriptions Resources

                      Zoho Desk Resources

                        Zoho Projects Resources


                          Zoho Sprints Resources


                            Zoho Orchestly Resources


                              Zoho Creator Resources


                                Zoho WorkDrive Resources




                                    Zoho Campaigns Resources

                                      Zoho CRM Resources

                                                    Design. Discuss. Deliver.

                                                    Create visually engaging stories with Zoho Show.

                                                    Get Started Now


                                                      Zoho Show Resources


                                                        Zoho Writer Writer

                                                        Get Started. Write Away!

                                                        Writer is a powerful online word processor, designed for collaborative work.

                                                                  有料プランをご利用の方