Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


      • Recent Topics

      • Inventory API - How do I add a payment to a bill using the API?

        I can update the "notes" field but I don't know how to add a payment to an existing bill. Is this possible? Does someone have a working example?

      • Update Multi select field values to another form table as individual record

        Hi, I am new to coding and do basics within deluge. I need help with the deluge script to meet the following requirement. Form Student Attendance The fields are : Attendance Date Course (Lookup to Course Form) Class (Lookup to Class Form) Students (Multi

      • Why Doesn't TrueSync Desktop App Have an Auto-Update Feature?

        I have to manually update the app myself. I think it's a big shortcoming.

      • Link Zoho Inventory to Clover POS

        Is it possible to link zoho Inventory to Clover POS?

      • How can I start trial version without any example data?

        I am lazy to manually delete each data in every section. Is there any button to fresh start my account from zero?

      • Send Whatsapp with API including custom placeholders

        Is is possible to initiate a session on whatsapp IM channel with a template that includes params (placeholders) that are passed on the API call? This is very usefull to send a Utility message for a transactional notification including an order number

      • Building a custom site

        do we have an option in Zoho to build custom sites like adding custom functionalities? want to make a site like https://trackscourier.com/jnt-tracking-ph/. Is it doable? Please assist.

      • Free developer edition of Zoho CRM

        A question for Zoho and other developers: How can you set up a demonstration version of a Zoho CRM implementation to show employers/clients what can be achieved? Do you pay for Zoho CRM Enterprise/Zoho One for this purpose? Does Zoho offer a free version

      • Confirmation prompt before a custom button action is triggered

        Have you ever created a custom button and just hoped that you/your users are prompted first to confirm the action? Well, Zoho knows this concept. For example, in blueprint, whenever we want to advance to the next state by clicking the transition, it is

      • Selecting ZOHO Help Desk Plan for Startup

        Hello everyone, We at unisouk are setting up a Product support team for our platform. and probably we will be team of 3-5 people. Which plan would cater my needs to address customer technical queries and maintain the inflow of various channel queries

      • Where do we manage tags?

        Where is the page where we can view all tags and manage them (like change a tag name to something else or merge tickets under a particular tag with another)?

      • Possibilité de créer des boutons de raccourci dans les tickets Zoho Desk

        Bonjour, J'ai développé plusieurs automatisations avec Zoho Deluge pour optimiser la gestion des tickets. Je souhaiterais savoir s’il est possible de créer des boutons de raccourci directement accessibles dans l’interface des tickets afin de déclencher

      • Update to the Merge Tickets Functionality

        This is to inform you about a significant update to the Merge Tickets functionality in Zoho Desk.  Until now, while merging tickets, a user could set one ticket as the master ticket and choose the final value for any field from any of the secondary tickets too. As a result of this provision, many a time, crucial details related to the master ticket faced the risk of being excluded in the final, merged ticket. To overcome this challenge, we have decided to make the value of some critical fields unchangeable,

      • Setting up CRM for RFP workflow management

        This will be the first time our organization uses an off-the-shelf CRM, transitioning from our homegrown custom solution, and I would appreciate general thoughts on how to get started in general with our workflow using Zoho CRM. The main question: if

      • Integrating Calendly with Zoho Calendar in Zoho Mail

        I moved my office into a business incubator space that uses Calendly for meeting management and events. Calendly doesn't have a integration with Zoho Calendar and vice versa. I was directed to Zapier for integration but it doesn't have an integration

      • How to send binary data in invokeurl task?

        Hello, I am using Adobe's Protect PDF API. Source: https://developer.adobe.com/document-services/docs/overview/pdf-services-api/ Everything works fine in Postman. But for some reason after encrypting the file, it is empty after password protecting the

      • Unable to access Zoho Desk at all - has an extreme slow load and then just remains blank

        This is all I see:

      • Demande : Épingler automatiquement un commentaire via Deluge

        Bonjour, Je suis utilisateur de Zoho Desk et j'ai développé une fonction avec Zoho Deluge permettant d'ajouter automatiquement un type de commentaire à chaque création de ticket. Cependant, j'aimerais pouvoir épingler ces commentaires directement depuis

      • Unknown error occurred

        Hi, When we want to publish or edit a page in our website, we encounter with "Unknown error occurred" problem. I share a screenshot here. Our website is www.essoft.com. It happens every page. We want to solve this ASAP.

      • Using Creator API access tokens in deluge script

        I am working on generating download urls for files that are uploaded via a creator form. I want to include these urls in record templates so they can be easily accessed. The goal is to make downloading multiple attachments in a record as quick and easy

      • Option to Re-order from past orders

        Customers would like to place a repeat order with the business entity. Currently there is no option to support this and everytime the customer has to check out following the same process. Can a option be given to reorder from the past orders?

      • Display your zoho contact name when they call your mobile number

        As per the title If a contact calls the office number, the contacts name shows on mobile as long as I have their contact details registered in my crm. Is there a way that if the contact calls my mobile, their name can be displayed? Currently just their number shows when they call.

      • US to EU Data Migration done / Workflows and Custom Functions stopped working

        Hello, I need help to restore my workflow rules and custom functions to work. My data was transferred from the US to the EU (Data center migration). Now all Workflow Rules and Custom Functions not working. I have no idea how to restore them to work again.

      • Custom view for Milestones

        Hi, Just an idea for the future... would it be possible to create custom views for the Milestones view under Work Overview ? I usually need to look at this view filtered by project group but the filter doesn't remain when navigating away. A custom view

      • Zoho API Error Code 7019 when adding job.

        Hello, I am following the documentation found here. https://www.zoho.com/people/api/timesheet/adding-jobs.html Regardless of how I try and post the data (including just using the example requests), I receive back the response {'response': {'message':

      • Getting error during inserting a record in form of zoho people using zoho api

        import requests import json # Set your access token and Zoho People API base URL access_token = '1000.XXXXXXXXXXXXXXX.XXXXXXXXXXXXXXXXXXXXX' api_base_url = 'https://people.zoho.in/people/api/' # Set the form name and data to be inserted form_link_name

      • Email an Invoice from API

        When calling the API to email an invoice, it seems it does not actually send it. Below is a screen shot where I used an API call for the bottom record, and it updated its' status to "Due Today", but no email was actually sent. The top record, I hit the

      • How to delete Email Sent From CRM from Contact Records

        I can't figure out how to delete email sent form CRM from contact records. Can you please advise? 

      • Recurring Events Not Appearing in "My Events" and therefore not syncing with Google Apps

        We use the Google Sync functionality for our events, and it appears to have been working fine except: I've created a set of recurring events that I noticed were missing from my Google Apps calendar. Upon further research, it appears this is occurring

      • Is there a Kanban view of Tasks across all Projects?

        As the title indicates, I could use a Kanban view of my Tasks across my Projects. If it's there, I don't see it. If it isn't there, I'd like to submit this as a feature request. Thx.

      • CRM Deluge how can link attach file with workdrive file.

        Hi, We have create file at workdrive and would like to link to attachment at crm module by deluge. Right now can only upload it to attachment but can not link the file from workdrive. Thank you

      • Tropicalize Books

        Books is an incredibly powerful tool that works well in many countries. But I feel that it is a product that is not yet "tropicalized" for Brazil as we speak (this would be like adapting the local reality). We have many strong competitors who do more

      • Refund of a check distribution fee...

        I use cashiers checks, from my local credit union, to pay some bills very occasionally. They charge me a 5.00 fee for this service, but then refund me that same amount at the end of the month on my statement. How would I record this transaction in Zoho

      • Usuários do Zoho Recruit no Brasil

        Gostaríamos de interagir com outros usuários do Zoho Recruit. Acabamos de completar um ano de utilização. Quem mais usa? se usa outra qual é?

      • Zoho Creator Upcoming Updates - December 2024

        Hi all, We're excited to be back with the latest updates and developments on the Creator platform. Here's what we're going over this month: Deluge AI assistance Rapid error messages in Deluge editor QR code & barcode generator Expandable RTF and multi

      • Questions about To Do

        1. I created a To Do note on Android and there is a line sorting option in the options drop down menu. But I didn’t find such an option in the PC client. I really need this option. 2. Why is there no search in To Do on the PC client? 3. Why is there no

      • Introducing Offer Details Sync to Zoho People

        We've introduced a new option for the Zoho People integration that allows you to push offer details when a candidate is converted to an employee. This simplifies your recruitment-to-onboarding process by seamlessly syncing critical offer information,

      • Conversion of functions from Google Spreadsheets

        Hello! I use this formula "=QUERY(ResumoOrdemVencimento!A3:O38;"SELECT A,B,C,D,E,F,G,H,I,J,K,L,M,N,O WHERE C != '' ORDER BY C,G")" in Google Sheets but when importing my spreadsheet into Zoho Sheets the formula was not converted. The QUERY function brings data from another spreadsheet, and then I sort and apply conditional formatting. The order of data will change automatically as I update the source spreadsheet. What Zoho Sheets function is equivalent to QUERY? I have some other spreadsheets to

      • Copy, Duplicate, or Clone a Custom View?

        I searched the forums and didn't see anything on the subject. Is there a way to copy, duplicate or clone a custom view? I want a custom view similar to one I've already created. I just want the columns in different order.

      • Import from OneNote

        Is there a way to import notes from OneNote? 

      • Next Page