Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


      • Recent Topics

      • Average Costing / Weighted Average Costing

        Hello fellow maadirs. I understand Zoho Books uses FIFO method of dealing with inventory costing, but do you guys have any plans to introduce average costing? We indians need average costing. It's part of our culture. Please. I beg thee. Thanks.
      • Credit note

        By mistake I issued credit note in Jan 2025 for the invoice related to Dec 2024. Now I want to delete this credit note but anable to do so. Need help in this
      • How to query for Deals record based on Pipeline?

        I want to query for Deals records that matches a specified Pipeline using a Deluge function. When I call zoho.crm.searchRecords("Deals","(Pipeline:equals:" + myPipeline + ")"), I get this error: { code: 'INVALID_QUERY' , details: {...} , message: 'Invalid
      • CRM formula field help

        Hello! i was hoping to get some help with a formula i'm creating within a module. I'm looking to make a formula that changes based on a date field but based upon the present date. This is the formula i have so far: If(Now() < ${Instructors.Start Date},
      • Change to copy/paste functionality in Deluge code editor

        Recently there was a change to the Deluge code etidor where it now inserts backslashes into strings automatically when copying/pasting strings with double quotes, it's a nightmare to have to go delete all these. Is it possible to toggle this on or off?
      • BIN Locations

        Hi, I’m new to Zoho inventory and unless Im missing something, I cannot find BIN locations anywhere in ‘items’? please tell me it’s there somewhere?!? Thanks
      • BANK FEED - MAYBANK , provider from YODLEE IS NOT WORKING

        As per topic, the provider YODLEE is not working for the BANK FEED. It have been reported since 2023 Q3, and second report on 2023 Q4. now almost end of 2024 Q1, and coming to 2024 Q2. Malaysia Bank Maybank is NOT working. can anyone check on this issue?
      • Canadian payroll

        Hello ZOHO, is any updates on when payroll for Canada will be available?
      • Default reminders on Emails

        I have seen that it is possible to set, for each email, a reminder when the email remains unresponded for some time. This is very useful, so useful that I would like to set it for all my emails, by default. Because an unanswered email usually requires
      • in zoho assist I would like to temporarliy go into view only mode

        During a zoho assist remote support / remote control session, I would like an option to turn off control, and go into view only mode. Then later, turn back on control, all within the same session. (Many other remote login apps have this feature.) For
      • Zoho notes list issue

        Hi team, Suddenly my extension is not working and I could not find the extension in my marketplace list anymore. Extension version deprecated This version of the extension is no longer in use. Please update the extension and try again.
      • Assignment Rule: Immediate Ticket Assignment to Agents Upon Shift Start

        Dear Zoho Desk Team, I hope this message finds you well. Currently, when the option to assign tickets to offline agents is turned off, agents who come online during their shift have to wait for about 30 minutes before any tickets from the queue are assigned
      • Change email template depending on answer from form

        Is it possible to set up the following in Zoho Desk: When a user submits a ticket via the Zoho Help Center's form, they can select an answer from a dropdown field. In this example, the dropdown options are 'Option A' and 'Option B.' If a user selects
      • Kaizen #171: FAQs on COQL API

        Hello all!! Welcome back to another post in the Kaizen series! In this post, we will address some of the most frequently asked questions about Zoho CRM's COQL API from the Zoho CRM Developer Community Forum. COQL API Query API lets you query for records
      • Issue with Date Placeholder Formatting in Ticket ID Customization

        Hello Support Team, I'm experiencing an issue with the date placeholder formatting in Zoho Desk's Ticket ID customization. Specifically, when using the `{{DD}}` placeholder for the day in the prefix or suffix, the output displays the day as a single digit
      • Time Field

        Good Day, I have a question, when I save a draft and reload it. Why does the time field format keeps goes from hh:mm to hh:mm:ss? Is there a way I can force it to load to hh:mm only? I have tried example = totime(input.TimeField, "hh:mm") in the -created
      • Feature Req - See imap emails in Timeline tab of a deal

        In many other CRMs such as pipedrive and hubspot, when you are looking at the timeline of a deal you can also see snippets of emails that have been sent or received and then click to view the full message. This gives users a fast way to catch up on EVERYTHING
      • HOW TO: Searching a thread (email body/text) with a custom function, allowing filtering and specific actions

        We are still trialing out Zoho at this time, but have found a major expected feature to be missing - the ability to search within the text of an email for automation/workflows. NOTE: You need to create a connection for zohodesk under settings -> Developer
      • Partnership Proposal for Supporting Number Porting Services in Singapore

        Dear Zoho Representative’s, I hope this message finds you well. My name is Honelito Gilos, and I represent Borderless Hub Pte Ltd (Singapore). We are a Telco here in Singapore specialising in providing seamless number porting services, and I’m reaching
      • Tip #2: Prefill forms automatically with existing Zoho CRM data

        How to automatically prefill a form with existing Zoho CRM data? Prefilled forms can be useful when you want your prospects to view and confirm their data, and in a wide range of other situations. In Zoho Forms, we prefill the fields with the values from Zoho CRM using the Zoho CRM field. What is a Zoho CRM field? A Zoho CRM field acts as a two-way communication channel, by sending data to Zoho CRM from forms and fetching information from CRM into Forms. The field will look up data from your CRM
      • Transform Your Customer Support with AI-Powered Chatbots in Zoho SalesIQ

        Ever wondered how some companies seem to have superhuman customer support? Let's uncover their secret! In the digital age, customer expectations are skyrocketing. Did you know that according to McKinsey, 75% of consumers expect a response within five
      • Quickbooks conversion and Internet sales

        Hello, we are considering converting from Quickbooks enterprise to Zoho Books and using MonotorZ for our mrp needs. Today we import Internet sales under a single customer with multiple ship to addresses. We want to maintain the detail in CRM for marketing
      • How to add two columns in Zoho forms

        I would like to have two columns in Zoho forms. How can i enable two columns?
      • When creating Sales Order / Estimate via API, the line item Tax Code does not get pulled in.

        I'm creating Sales Orders via API from CRM but it does not pull in the "Tax Code" I've read within the forums that this should be done automatically but it's not happening. Not sure if it's a bug or by design? Anybody else know? Should we be adding the
      • Chart showing schedule

        I want to be able to create a chart for everyday to check and which of which driver is available on the timeframe. Here's my table Name City Day Start Time End Time Driver1 Medicine Hat Monday 11:45 AM 4:45 PM Driver 2 Medicine Hat Tuesday 11:00 AM 7:00
      • Quais são os maiores desafios que você enfrenta ao implementar o Zoho CRM?

        Olá, pessoal da comunidade Zoho Brasil! Sou parceiro autorizado da Zoho e, ao longo do tempo, tenho notado que cada implementação de CRM traz desafios únicos, dependendo do segmento de negócio, das metas da empresa e até da familiaridade da equipe com
      • 2025 Just Got More Exciting for Developers!

        Hello, Greetings to the Zoho Books Community! As we step into the New Year, we're thrilled to roll out something truly special for our Zoho Finance enthusiasts – the "Zoho Finance Developer" Community! This is your exclusive space to connect with fellow
      • Error in executing On user input script

        I'm having problems with this  this script : ; Tipo_list=List(); Tipo_rec = Tabla_factores[Periodo == input.Periodo_anos.toLong()]; Tipo_list.addAll(Tipo_rec.Clase_credito.getall()); for each Clase_credito in Tipo_list { Tipo_credito:ui.add(Clase_credito) } Error in executing On User Input script of Periodo en años. Error. Error in executing Fetch Record task. Unable to fetch Tabla_factores and update variable Tipo_rec. Error in evaluating the criteria : Error. Error evaluating NUMERIC expression
      • sync data from outside of zoho plateform

        hii team , i am creating a platform using zoho platform, i want to sync the data from out side of the platform like people-soft, but i am not able to sync the data , if it is possible , then suggest me how can i do it , i want to sync data from other
      • How to add a Data Updated As Of: dynamically in text?

        I need to add a "Data Updated As Of" in the dashboard to show when was the last date the data was updated. I tried to create a widget but it does not look really good, see below. Is there a way I can do this through the text widget and update it automatically
      • Automate search in customer list and easilly initiate email

        Hello and happy new year ! I have a customer list with name, telephone, emails and some criterias like location, type of customer, etc. I want to search that form to extract part of it, for example all customers that have a location of "Québec city" and
      • "Select All" item in the context menu

        In the Client on Android, there is a “Select all” item in the note’s context menu. There is no such item in the PC client. Can it be added in future versions of the client?
      • Syncing Leave Calendar With Shared Google Calendar Does Not Remove Canceled Leaves

        Our organization has each employee sync their Leaves calendar with a shared Google calendar, but am I right that if an employee cancels a Leave in Zoho that it will not be removed automatically from the shared Google calendar through the same sync m
      • Is it possible to display formulas in cells instead of calculated results?

        I want to export my Zoho sheet as tab separated text without losing the formulas. In excel, I would use the settings Options - Advanced - show formulas in cells instead of their calculated results then save as tab separated values. How do I do this in
      • Creator Simplified #11: Create a custom button to download files

        Hey there! This time, let's see how to create custom buttons to download the files uploaded in the file upload field. Sample use-case A training app has a module that provides the materials for all the available courses. Students can click on the corresponding
      • Batch Tracking Enhancements In Zoho Inventory

        Hello users, We’re excited to announce that we’ve taken batch tracking to a whole new level in Zoho Inventory! We’ve made it more accessible and easier to use than ever. Here’s a quick look at the improvements: 1) A New Way To Create or Modify Batches
      • Zoho Desk Mobile App Year-End Roundup - 2024

        Hello Everyone, Greetings! As you gear up for the festive season, we are excited to share a quick journey into all that is released in 2024! Availability of each feature in iOS and Android released in 2024 are as follows: For more information on the above
      • Task Completion vs Estimated Time

        I need to represent the Estimated Date vs Actual Completion Date for multiple Tasks. How Can I Do this in Zoho Analytics.
      • Upload Field - cannot be checked in rules configuration.

        We wanted to create a process to verify whether the upload fields are empty or not. If empty, then it should deny during submission. We don't want to use the mandatory field setting because in a 10 pager form, some upload field located in page 1 will
      • Chat function not working properly

        Ever since upgrading to plus, the chat is all messed up. it is coming up behind the web page so that I cannot see what I'm typing and cannot read replies. I can only see the bottom of the text box at the bottom of the page, and then it is blocked. I've
      • Next Page