Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


      • Recent Topics

      • domain authentification on ovh and zoho

        I don't succeed in adding an domain authentification on ovh. Should i first create a subdomain? But this doesn't work either, ti gi ves te same screen and the next button is greyed out when adding the info received from zoho
      • Splitting a List into different rows

        I am getting a List from a for each loop. But I can't figure out how to separate each item that is separated by a comma. Example Zone 1 - Front Door,Zone 2 - Rear Door,Zone 3 - Side Door I need it too look like this: Zone 1 - Front Door Zone 2 - Rear
      • Zoho Desk iOS app update- Save drafts on the social channel tickets, send replies via blueprint transition on social tickets

        Hello everyone! In the latest iOS version(v2.9.3) of the Zoho Desk app, we have brought in support for the following features: Save drafts on social tickets Send replies to social tickets via blueprint transition. Save drafts on social tickets We can
      • Unit Conversion with Unit of Measurements for Items, has anyone successfully figured this out????

        I am currently using google sheets to break down my per cost of items I buy in bulk. We are a non-profit that creates kits and resells at the exact price we pay for the items to our customers or uses grants from the government to pay for them. I can not
      • Possible for client users to use timesheets?

        Hello, We are setting up a project where the bulk of development will be performed by subcontractors. We were thinking of setting them up as client users to have access to project information resources. Is it possible for a client user to log time against
      • Automation in Zoho Sprints

        Hi. I have a Sprints board with the following statuses: ToDo, InProgress, CodeReview, Testing, Preprod, Live When a ticket is moved from e.g. Testing to Preprod, the following tags should be modified: remove 'tested OK' remove 'ready for Preprod' add
      • Zoho Flow reads record Tag as number instead of text string. How do I change it?

        I have experience with flow and have a number of them working. This flow is supposed to add a record in a custom module when a Contact record is edited or created with a specific tag. Trigger criteria is "Tag contains 'Athlete' ". However, the flow does
      • Oops! Something went wrong. Try again later When trying to send email

        Hi, This error is appearing everytime i am trying to send an email. Oops! Something went wrong. Try again later  Please help.
      • Telephony External ID field added in CRM

        Dear All, We have an enhancement for users with telephony integrations—introducing the Telephony External ID field. Let's get into the details! What is an external ID field for telephony? External ID fields in Zoho CRM essentially hold a record's reference
      • How to Parse XML Data Returned by API?

        I have several APIs integrated with my CRM and they work great. I am having some trouble though parsing data out of a large string/array in Funtions? I need to be able to pull the DeviceId and the WebSiteDeviceName from each PanelDevice. I would appreciate
      • Deluge Script - "Mismatch of data type expression" Error When Retrieving Account ID

        Hi everyone, I'm working on a Deluge Script in Zoho Creator to create Accounts and Locations. I'm running into a "Mismatch of data type expression" error when trying to retrieve the ID of a newly created Account. Here's the relevant part of my code: accountResponse
      • Function Only Working Manually

        Good evening everyone. I have a function that creates a PDF from a Creator form. When I execute it manually it works perfectly. But when I execute it from within a On success workflow it is not working. I'll post my code below. Any ideas? //Function void
      • Elevating Email Security on Zoho Desk: DKIM Now Mandatory

        Hello Zoho Desk Users! It has been a wonderful journey with you on Zoho Desk. As we welcome 2025, we are strengthening our efforts to ensure a secure and seamless experience for you. To enhance email security, DKIM configuration will be mandatory for
      • Assistance with Code to send email on subform data

        I am trying to trigger an action off the successful submission of a form that emails the details of the subform to a distinct email. This subform is setup as another form in the app and I can get the below code to work: for each subrow in input.New_Payment_Subform
      • PDF Import

        Hi Guys, Zoho Sheet now supports file formats such as XLSX, XLS, XLSM, ODS, CSV, TSV, SXC, XLTX, and TXT. However, support for PDF files is not available yet. Adding this option would be very helpful. Thank you!
      • Credit Card Terminal for Zoho Books

        Hello, Instead of punching the credit card number manually for customer payment, do you have a third-party hardware credit card reader that works with Braintree? Thank You
      • Zoho CRM Workflow Merge Tag For a File Upload

        Hello, is there anyway to add a merge tag for a file upload field in Zoho CRM Workflow emails? I don't see it as an option in the drop down. Thanks, Hannah
      • Shared Mailbox - Mark as read for all users

        Hi all, Maybe someone can help me out. At the moment we have a shared mailbox without streams. When a users reads an mail or marks it as read other users will not see this. How can we resolve this? We now archive the mails when read and followed up. However
      • How to delete attachments form Zoho mail accounts

        I can't find a way to delete attachments from Zoho mail messages, either individually or in bulk. Searches here are providing conflicting results and often talk about workspace, whereas I am only interested in how to delete attachments that are seen with
      • Stopped getting zoho notifications in Email for Customer response to support tickets

        Hello , I stopped receiving Notifications from customer response in my company with attached to this account.
      • ChatGPT

        Hola, sabéis si además de tener la licencia de chat GPT Plus hay que comprar créditos para usar chat GPT en zoho social? Gracias
      • ZOho Recruit API hiring Pipeline

        I was wondering if it's possible to update the hiring pipeline using the API. I am messing around and I can change the status of the applications and it shows the application as rejected but the pipeline stay's at the stage that applicant was at. Also
      • Lost the ability to sort by ticket owner

        Hi all, in the last week or so, we have lost the ability to sort tickets by Ticket Owner. Unlike the other columns which we can hover over and click on to sort, Ticket Owner is no longer clickable. Is it just us, or are other customers seeing this too?
      • Round-Robin with Load Based Assignment, can you limit which Status are considered?

        Hello, We are currently using Round-Robin with Load Base Assignment. Is there a way to exclude tickets of a certain Status from being considered by the Round-Robin Assignment rules? For example... I have the following statuses. Escalation Review (meaning
      • How to link Custom Fields in Ticket view

        Hi team, I have created 2 custom fields in our Accounts Module would like them to show in our ticket information. We don't have Enterprise so I cannot do it via a workflow, but I know you can do lookup fields to link modules. How would I go about making
      • Notify on new comment

        I would like to notify users when a new comment is added to ticket/request? So if someone is following request they would get email or text saying that comment has been added to this request. Or request/ticket owner get notified. Thanks Luis
      • Save Draft in email bigin for desktop and mobile

        Hi any news to when we going to have the save draft for email in bigin desktop and mobile?
      • Insufficient "previlleges" to perform this operation? All of a sudden

        Trying to create a ticket report in the free version of Zoho Desk (Analytics > tickets by contact), same as I have always done for the past 4 years every 2 weeks, and I am receiving the following message: I am labeled as Support Administrator, and we
      • Ticket sends email to 2 different email addresses

        Good afternoon, I am attempting to setup our ticketing system so that when a ticket is created, updated, and closed, it will email both the customer receiving support as well as the salesperson that is associated with the customer. The way that our tickets
      • API to post drafts for social media

        I we want to post draft posts to our zoho social account and then approve and schedule them within Zoho social. is this possible with for example: https://apis.zoho.com/social/v2/post TIA Jon
      • Forced Tooltip on Maps View

        Please remove the forced tool tip data points and ONLY include those listed in the "Include Columns for Tooltip" area. Also, disable the tool tip if no fields in there. With a lat/lng map, it forces showing those (and color field, lat count) and will
      • Anyone else having trouble with blurry pixelated screenshare?

        Ever since Monday Nov 26th., Cliq and Meeting screenshare has been blurry/pixelated like this:  https://www.screencast.com/t/0CblL3drKuU Did something change? Because Our Internet connects are plenty fast and everything is crystal clear in Skype... Also, video share is clear and normal, it is just screen share... Thanks
      • Map chart on Dashboard - can I disable tooltip?

        When adding a world map chart to a dashboard, I would like to disable the tooltip with details. Is there a way to do that?
      • ERROR

        I deleted a contact card, I want to add it again but it says that the contact already exists. I searched the records and it is not there, and I even deleted it in the trash. The email is this one: ldurbani@gmail.com. Please help!!
      • Currency Field Does Not show commas upon entry - leading to inaccurate entries!

        Hello Zoho... When our sales reps are entering deals and the profit/revenue it is difficult to accurately enter numbers with lots of zeros when there commas are NOT added until the record is saved. Could commas be added to this filed type as it is being
      • Display Profile Member Details of Logged In User in Zoho Site

        In a page, I want to display the profile details of the Member Portal who is logged in to my Zoho Site (email, name, etc.). How can I retrieve the email, name, and other data from the logged in user? I know that there is already a My Profile page that
      • Issues with Publishing Updates on Arabic Subsite in Zoho Site KSA

        Hello Zoho Community, I am reaching out to share my experience and seek assistance regarding an issue I’ve been facing with my Zoho Site KSA. Despite purchasing the Add-on Subsite twice, my subsite remains unpublished. Here are the details: Background:
      • Account name not populating when importing contacts

        When importing a csv file to add contacts the account name is blank? Every other filed gets mapped and imported correctly, i.e contact name, phone number. However not the account name which I have mapped to "company" field in my csv file
      • Support for Developing Zoho Recruit Extensions via Zoho Sigma

        Hi, I’m interested in building an extension for Zoho Recruit using Zoho Sigma. However, when I navigate to Sigma and attempt to create a new extension (via the "New Extension" option), Zoho Recruit does not appear as a listed service—only options like
      • Cannot use a Zoho Form in CRM Email Template

        I've created a Zoho form that has integration with Zoho CRM and is linked to a custom module. I know the form works as I have tested it. When I try and insert this Zoho Form in a button on a CRM email template set up with the same custom module I get
      • Next Page