Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!





        • Recent Topics

        • Regarding GST Report Issue in Zoho Books

          Hi, Right now, the very important point from my end is this Zoho Books issue. Here, you can see that we have created the invoice with the items of account sales and expenses. The journal is also correct. The profit and Loss statement is also correct.

        • Multiple Salesperson against an invoice

          Hello, Against a particular invoice, we have multiple sales people working. The reason we combine the invoice is becuase we are an exporter and often consolidate cargo for our customer to save them freight costs. How do I capture the contribution of each

        • Projectwise budget ---

          Can we have a Project wise subject in addition to the Monthly, and quarterly ACCOUNT LEVEL budget?

        • Looking back at Zoho Social's 2024: Highlights and memories

          Hey everyone, We hope you had a relaxing and joyous holiday season. Whether you're planning for the new year or still soaking in the magic of the season, we're here to share some exciting highlights from 2024 – a year that was fully packed with updates

        • Building a Zoho Extension for Webex CC - Handling URL Changes

          Hi everyone, I’m building a Zoho extension for Webex Contact Center (Webex CC) and facing an issue with handling URL changes. In telephony, I’ve set the URL of Webex CC to: https://desktop.wxcc-us1.cisco.com/ When this URL remains the same, everything

        • Remove County field from Customer Address input screen (or allow input to be deleted)

          We are in the USA and have just noticed that there is now a County field in the Customer Address input screen (and maybe other areas of Zoho Books, but this is the one affecting us at the moment). County is not important to our business, and in fact we

        • Zoho still running very slow

          I have a lead log for my company and creator seems to be running extremely slow still.

        • Bigin API Token Request ("invalid_client")

          Hi people, I tried to connect to the API without success, I've read all of the documentation multiple time and tried just about everything. I tried to do it with Python Request module and with Postman, passing the information through both the URL parameter

        • Shared Dashboard / Report Permissions : Read not Write

          hi all, We are missing a huge fonctionnalite in setting up Dashboards (and reports) on corporate level.  Currently, we can not set Read Permissions on share Dashboards (and reports) without giving write access as well When we create a corporate dashboard

        • Profile stitching with Zoho Marketing Automation

          When it comes to marketing, knowing who your audience is and tracking their interactions is vital. That's why Zoho Marketing Automation has taken a significant leap forward with its enhanced profile stitching feature. With this update, you can track your

        • GDPR

          Hi , I'm checking out the HIPPA capabilities and at the moment I can see only three modules that can be selected to enable HIPPA Any idea how I can add additional modules such as customers? TNX David

        • default task list for new project

          Is there any way to have a default task list already created in a project, when the project is created in Zoho Books?

        • Record less quantity than ordered in ZOHO inventory

          Lets say I ordered 100 widgets from a Vendor. I have paid the Vendor month ago and just waiting for the product to ship. I have finally received the products but have only received 80 widgets. I see no way in ZOHO to only receive 80 widgets. ZOHO is forcing

        • Stripe payments via Books invoice link missing email - affects fraud detection

          Hi, All our payments done via Books invoice link have a warning: Integration improvement available This transaction is missing customer email address, which affects fraud detection. Why doesn't Books pass this info to zohosecurepay.eu/books/... for more

        • Power of Automation: Automatically sync custom field data between two tasks.

          Hello Everyone, A Custom Function is a user-written set of code to achieve a specific requirement. Set the required conditions needed as to when to trigger using the Workflow rules (be it Tasks / Project) and associate the custom function to it. Requirement:-

        • 'View Invoice' button hyperlink taking to Google Business Maps listing

          The green "view invoice" button in my invoice emails is sending people to my Google maps business listing rather than the invoice. Both my clients and I are experiencing this as a new issue.

        • Migrating Zoho emails to Google Workspace

          Hi Is there a tool to migrate Zoho email to Google workspace?

        • Custom Functions - Calculate Commission - failure after migration from US to EU

          Hello, i would ask for help. My Custom Function - Calculate Commission stopped working and shows a failure. Mismatch of data type expression. Expected List but found String What is the problem? Could anyone help? Here is script: void automation.ObliczProwizje(Int

        • GoCardless Mandate Sync Question

          Hello, When syncing our customer database with GoCardless, some customers aren't working despite both email addresses matching in Zoho Books and GoCardless. Also what do we do about customers where they are associated with multiple accounts as these aren't

        • Create a draft in reply to an email via Emails API

          Hi, I’d like to use the outgoing webhook to automatically create a draft reply to incoming mail. How can I use the Emails API to create a draft reply that is linked to an existing email thread? I couldn’t find the relevant method in the documentation.

        • Weekly Tips: Flags for an organized mailbox

          Wishing you all a Happy New Year 🎉 As we step into 2025, it's time to refocus and set our intentions for the year straight. Whether you're already back at work or just returning from the holidays, you probably have emails that need your immediate attention,

        • Edit line item amount

          It would be sooooo much better to be able to edit the line item amount in all of the modules, if there is any variation in agreed prices it's extremely painful to calculate the rate to match ;-( The rate could be auto calculated on editing this field making life so much easier !

        • Chanel Partner

          Any Zoho channel partner or dubai based company who will help us for getting zoho services including the training for our staff

        • Refer a Friend Campaign

          I am looking to run a referral campaign that sees an initial email going to existing clients, asking them to refer a friend. For each new client referred, the existing client will get a ticket in a prize draw - the more new clients they refer, the more tickets they get in the draw.  I am wanting to figure out how this could be done via Zoho, and how these referrals can be tracked and linked to the existing client who referred them.

        • Emails cannot be received

          Hey, There is an issue in my Zoho account, E-mails can be send from my side but cannot be received on my account MX, DCIM and other are added but still cant receive them. Please help me to solve this problem at your earliest convenience and this is happening

        • Newsletter in multiple languages

          Hi We are planning on starting to use Zoho Campaigns for our newsletters. Since we send our newsletters in three languages, I would need the "unsubscribe page" and other pages related to the NL (Thank you page and so on) to be available in different languages

        • i couldn't recall message as one of the receptionists didn't received the message and i want to recall it urgent

          i couldn't recall message as one of the receptionists didn't received the message and i want to recall it urgent as recall button doesn't appear

        • Servidores caidos?

          Buenas, Hoy 30/12/2024, mi empresa esta sufriendo bastante problemas para acceder a las aplicaciones de Zoho. No sabemos si es solo nuestra compañia o esta afectado a todos. Cuando intentamos acceder a las aplicaciones nos salta el siguiente error: A

        • Tip #1- Remote support vs. unattended access: Contrasting two key concepts in tech assistance- 'Insider Insights'

          Hello everyone! We, at Zoho Community, are excited to introduce Insider Insights, a new series where we will look into various aspects of remote support technology and how they might help you. We'll be sharing tips, methods, and insights acquired from

        • Introducing Fair Evaluation for Interviews

          Collaboration is key in recruitment, but it’s important to ensure individual interviewers’ assessments are not influenced by others. With Fair Evaluation, you can choose how and when interviewers can see reviews of a candidate for the same job opening.

        • I have been looking for CVID to get segmate list where & how can fnd it?

          I am trying to get segment details from the Zoho API. The API documentation says that the CVID is a mandatory parameter, but I cannot find the CVID in the "getmailinglists" API. Can you tell me where to find the CVID?

        • "The data you have entered already exists" when trying to create contac@mydomain.com

          Hi all, Our domain is ananasjuicebar.com. Working as admin in the control panel: When I try to add the email account "contact@ananasjuicebar.com" I get the error: "The data you have entered already exists" I've tried creating a new user or creating a new group with this address associated. To my knowledge this address has never been added and I can also not find any reference to it. (Shopify used this address to send customer notifications BEFORE setting up Zohomail.) Any ideas? are there any restrictions

        • Tip of the week 03 - Sending emails in batches

          Today's marketers not only want their email marketing to be efficient, but also smart. For an email campaign, you may think you have all the essential elements for lead conversion—a big mailing list, an attractive template design, and the most-engaging message content, but after hitting the ‘send’ button, you may not get the expected conversions. Wondering why? Here’s one of the major reasons. Many marketers miss out on sending the email campaign the right way. Did you know that you should not be

        • Zoho Books Bank Feed

          Good afternoon, Is it possible to change the bank feed provider on a bank account. I'm using Plaid but think that Yodlee would be better in terms of pulling transactions in a timely manner. Thank you.

        • Create Bill from Purchase Order via API

          I know you can create a invoice from a Sales Order by using https://books.zoho.com/api/v3/invoices/fromsalesorder Is there a similar url for creating a bill from a purchase order?

        • Log incoming calls on Android CRM?

          I keep reading that I'm able to log incoming calls on the CRM app for Android, but when I answer a call and hang up, I never get the option to log. Is there a special admin I need to do for that? Or permissions? Thanks

        • How do i send an automated email 10 days after closing a ticket

          I am trying to set up an automated email to the customer a set period after the ticket is closed. I have created the email template, but i cannot work out how to set the trigger to send this out. Can someone point me in the right direction please? If

        • Domain Verification

          Hey,  How do I know that my account is verified by Zoho?  Do I need some zd code/number for it?  Need help asap! 

        • Sender not verified message showing on mails sent using zoho mail

          Hello, I am using Zoho mail to send and receive emails. Whenever i send emails to zoho mail id, it showing a message "Warning! Unverified sender.We could not verify that the email was actually from sending email. Be cautious when opening any links/ attachments,

        • Mail Outgoing blocked. Reason :Mail rate exceeded limit

          Hello, Please unblock my mail account: ser1@innspo.com Thanks

        • Next Page