Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!




        • Recent Topics

        • Whatsapp integration update.

          Please, there is no way on WhatsApp integration to know if a message has been read, or has been managed by a member of the team. There should be a way to add contextual info or something please.
        • Introducing Formula Fields for performing dynamic calculations

          Greetings, With the Formula Field, you can generate numerical calculations using provided functions and available fields, enabling you to derive dynamic data. You can utilize mathematical formulas to populate results based on the provided inputs. This
        • Is it possible to DISABLE emailing invoices?

          My husband's not real computer-savy.  I've set up Zoho so that he can enter invoices for his customers, but I don't ever want him to accidentally send an invoice before he's reviewed it.  Up until recently, emailing an invoice would send it to me (I don't
        • CRM x WorkDrive: File storage for new CRM signups is now powered by WorkDrive

          Availability Editions: All DCs: All Release plan: Released for new signups in all DCs. It will be enabled for existing users in a phased manner in the upcoming months. Help documentation: Documents in Zoho CRM Manage folders in Documents tab Manage files
        • Syncing Fields Between Accounts AND Deals

          Please don't email me, I will check this thread for updates daily. I have a custom set of 10 fields (CFSET) in my account pages and deals pages. I want to fill them out on accounts pages per each, then when I make a new deal in an account, I want to copy
        • Customer Statement Template

          Hi. how can i add order number "customer LPO number" in the customer statement. regards
        • Unable to see clients/accounts from my CRM on Zoho Recruit.

          I am wanting to see my clients/accounts that are on my CRM within Zoho Recruit. CRM and Recruit seem to be integrated as I have access to all of the candidates, but there is no option to get my clients on there. I have activated the extension in marketplace
        • need help to set up feeds to Zoho books with CRM Perks plugin

          Hi there, I need help setting up feeds with the CRM Perks plugin. It is supposed to send various feeds, like orders, payments, etc., from Woocommerce to Zoho Books. I have been trying so hard but seem to be too thick to get it done :-( For months, I worked
        • Unable to add organization consultants and contractors in Zoho People

          Hello Team: I am unable to add my few consultants and contractors in Zoho People. How to add these people as Users?
        • Zoho Books Bank Feed

          Good afternoon, Is it possible to change the bank feed provider on a bank account. I'm using Plaid but think that Yodlee would be better in terms of pulling transactions in a timely manner. Thank you.
        • Setting default From address when replying to request

          At the moment, if I want to reply to a request, the From field has three options, company@zohosupport.com, support@company.zohosupport.com, and support@company.com.  The first two are really internal address that should never be seen by the customer and
        • Auto-Create OneDrive Folder Structure Upon Lead Creation

          Hello, New to Zoho and looking for help on a critical process automation I'm looking to implement. My company currently utilizes OneDrive for file management and the folder structure is Proposals -> Client Name -> Address (where I need to initially create
        • 🔍 How to effectively organize data in a CRM? – My approach and questions for you

          Dear ZOHOssians! While working on organizing data in a CRM, I decided to use the native modules: Leads, Deals, Contacts, and Accounts as a solid foundation for managing processes. However, I’m now exploring the next steps and considering various options
        • Stock Count

          The stock count is a nice new feature, but we cannot figure out how to: 1. Use it without assigning to a person, we have a team or one of multiple do stock counts as do most any company. 2. Add any extra fields to what the "counter" sees. The most important
        • Annoying Pop-Up Zoho Advertisements and Announcements Within Apps

          It is beyond frustrating to have to close out Zoho's announcements for Webinars, Zoholics, updates, events, etc while working within ANY of the Zoho apps. I see it when accessing Zoho One, Cliq, Creator, and CRM. Zoho boasts to be a professional solution
        • Images uploaded onto text notes through the mobile app won't render

          When uploading am image onto a text note, exiting the note and going back in, the image is gone and shows an error icon in its place, and also won't display directly on other devices, including on the desktop version. Uploading the same image on the same
        • Marking a Desk ticket as Unread after merge

          We have a custom script that runs against every new ticket and auto-merges it with any existing ticket that matches our criteria. That works fine but there is no functionality that reverts the newly-updated ticket back to an "unread" state. I found the
        • Trying to do commission tracking with zoho crm, can i do a Lookup against multiple fields in a module?

          So i'm still designing my zoho one crm as i come over from salesforce. One of the things i'm trying to build is a commission tracking module. At some point i'll probably hire someone to help with custom code, I'm just proof of concepting it. I"m not sure
        • Internal Support and Assigning Tickets

          I want to set up an Internal Desk Support system. Here is what I need... We need our internal "Support" staff to be the Ticket Owner We need to be able to identify who the "Account Manager" is on that client and get emails as part of the ticket. I'd like
        • Filter a Zoho Creator main report by a field and display other related reports in sections on a Zoho Creator page

          Hi, How can I filter a Zoho Creator main report by a field and display other related reports in sections on a Zoho Creator page? Part of what I was given below is setting up sub-reports, but the subform field prompted me to link a form, not a report.
        • FAQs on Approval Process - Post your Questions

          Dear All, Greetings! Approval process allows to validate records and streamline the process across organization to ensure a systematic approach. To resolve your probable queries, we are constantly gathering relevant FAQs and publishing them to address
        • Recurring Events Not Appearing in "My Events" and therefore not syncing with Google Apps

          We use the Google Sync functionality for our events, and it appears to have been working fine except: I've created a set of recurring events that I noticed were missing from my Google Apps calendar. Upon further research, it appears this is occurring
        • Introducing Social Toolkit

          Hi everyone, We're thrilled to launch Social Toolkit, a one-stop dashboard to help take your social media presence to new levels by letting you create aesthetic profiles and share content that your audience will actually enjoy engaging with. Social Toolkit
        • Requesting a file upload in Zoho Workplace not possible?

          I’m new to Zoho Workplace and am mostly liking it. However, it seems as though collecting/requesting documents is not available in the workplace version of WorkDrive. Am I missing something, or would I need to subscribe separately to another WorkDrive
        • Poor Email Delivery

          Our company used Zoho about 2 years ago and always had trouble understanding why a great deal of our emails from Zoho CRM and Zoho Marketing Automation ended up in the recipient's spam folder regardless of the email content and despite having our domain
        • No table view in "All departmens" mode

          Hello, I would like to have an overview of all tickets, so I have to switch to "all departments". But here I don't have the possibility to activate the table view. But this is mandatory, so that I can see certain fields without having to open each ticket
        • Where to Map Candidate fields to Employee fields in Zoho People 5.0

          I can not find options anywhere on Zoho people 5.0 where I can choose how the data fields are mapped from the candidate form to the onboarding form
        • Get Creator Form Record ID and Subform ID's

          Good Afternoon everyone. I have a Creator form with a on success workflow. I'm trying to get the form record ID and the subform record ID(s) but they keep coming up null. There is data in the subform I use it elsewhere. Can anyone help me pull the ID's.
        • WhatsApp and Zoho Creator Integration

          How we have integrate WhatsApp App with Zoho Creator without using external application ?
        • Guidance on Making Zoho Desk Connections Available for All Data Centers

          Hi Team, I’m currently developing an application using Zoho Desk connections to manage OAuth for my third-party products. Could you please advise on the steps required to make it available across all data centers? Looking forward to your thoughts on
        • Can we create Sprint with tasks from Multiple projects?

          Hi Team, We were using Zoho Sprints for quite sometime. Currently we have started the process of Sprint method. We couldnt create the active sprint board with the tasks from multiple projects. I would like to know whether this is possible or Any timeline
        • Ability to use Dynamic goals in Motivator

          Is there any way to create dynamic goals in Zoho Motivator? By "dynamic" I mean: not the same target every period, but varying from period to period. For example, in our organization, sales reps are supposed to target beating the same month's sales last
        • Using Snippets in Comments

          One of our Agents asked about using snippets in comments. We don't see this as an option at this time, only in reply mode. Is there a way to enable this?
        • Calendar - "super compact" week view

          every time i go to my calendar i have to re-engage the "super-compact view" for the week view...is there a way to make "super-compact" a default view so I dont have to keep on setting it manually?
        • zoho calendar week view - "super compact by default"

          every time i go to my calendar i have to re-engage the "super-compact view" for the week view...is there a way to make "super-compact" a default view so I dont have to keep on setting it manually?
        • CRM portal: no Create/Edit options available for custom module

          I'm experimenting with setting up a CRM portal. I'm not able to select Create and Edit permissions for a custom module, even though the data sharing settings for this module has been set to Public Read/Write/Delete. What other settings do I need to enable
        • Which are the IP addresses to use for 'split delivery' with Office 365? (Zoho mail inbound gateway)

          Hi, I'm trying to set up 'split delivery' (email routing) with Office 365. I'm following the instructions to set up Office 365 as the primary server (https://www.zoho.com/mail/help/adminconsole/coexistence-with-office365.html) One of the prerequisites
        • Allow submitter to type a choice in a 'Multiple Choice' field

          Is there any way to allow the person filling out a form to manually type in a choice in the 'Multiple Choice' field? So like have the option of allowing the last field to be 'Other' with an input field...
        • All Inbox emails are marked as read automatically

          Hello friends! I have and issue that all new emails in Inbox are been marked automatically as read. Plase how can I fix this??
        • How to Add Portal Users in Zoho Creator's Development Environment for Testing?

          Hello, I’m working on a Creator app with a customer portal and implementing filters based on the logged-in user (customer). To test these filter functions, I'd like to simulate or add customer portal users in the development environment/database. Is there
        • Next Page