Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!





        • Recent Topics

        • Alternatives to using multi-select lookup field for a 1-many module relationship?

          I have 2 modules where I only need multi-select lookup option on one of them and the other always has a 1-1 relationship. Do I have to use a multi-select lookup field in this case? Is there another way to solve this? Am asking because I've hit the limit

        • O que é o Code Studio no Zoho Analytics?

          Olá Pessoal, Colocando um pouco de informação sobre uma feature do Zoho Analytics chamada Code Studio. O Code Studio é: ‌Funcionalidade que permite desbloquear recursos de Data Science e Machine Learning (DSML) no Zoho Analytics. Utiliza código Python

        • Sobre qual tema você gostaria de falar em 2025?

          Olá Pessoal, Quais temas que gostariamos de explorar em 2025? - Zoho CRM Customizações Básicas - Zoho CRM Funções Personalizadas - Zoho Desk Básico - Zoho Desk Avançado - Zoho Analytics - Zoho Creator Deixe a sua opinião

        • Sobre qual tema você gostaria de falar em 2025?

          Olá Pessoal, Quais temas que gostariamos de explorar em 2025? - Zoho CRM Customizações Básicas - Zoho CRM Funções Personalizadas - Zoho Desk Básico - Zoho Desk Avançado - Zoho Analytics - Zoho Creator Deixe a sua opinião

        • Automatic Updates for Zoho Desk Extensions

          Dear Zoho Desk Team, I hope you're doing well. We would like to request the addition of an automatic update feature for Zoho Desk extensions. Currently, updating extensions requires manually searching for updates and clicking the update button. This process

        • How to view all departments on one dashboard or ticket view?

          Hi guys, We've just started using Zoho Support and found a very weird quirk. It seems that you need to click into each deparment to view the new tickets instead of just seeing a global dashboard of all tickets across all departments. Seems very odd, is this correct or are we missing something? If this is currently not possible, can someone from Zoho let us know if a global dashboard view is going to be developed soon? How soon? This is going to be a dealbreaker for us as we have lots of departments...

        • Is Drawing feature supported in zoho Sheets?

          Is there any option to draw arrows and some basic shapes such as circle , rectangle etc in zoho sheets? if so, can someone help me find it 

        • Is there a way to sync Tags between CRM and Campaigns/Marketing Hub?

          I wonder if there is a way to synch the tags between CRM and Marketing-Hub / Campaigns?

        • IP Addresses for Whitelist

          Hi,  Where can I get a list of the IP addresses I need to whitelist for accessing Zoho Desk? TIA

        • We would like to make a separate, internal-only knowledge base. Is it possible to have a public department but not display it in the help center?

          It seems like it is not possible to display/hide the knowledge base from the help center per department.  Is there a way to do this? It looks like all department knowledge bases are displayed if they are public, and there is no way to hide one from the help center while keeping it accessible via a permalink URL. For example, lets say I have one KB for Clients and one for Employees.    I want to keep my Clients KB public, and also want the Employees KB to be public, but NOT displayed in the help center.

        • Template Email Reset Password

          Hi It is possible to customize the email that comes to a Customer Portal user? It comes in English and need this in Spanish. Esteban Elias Preventa Tecnica - Educacion Xpears.com

        • URL_ROLLING_THROTTLES_LIMIT_EXCEEDED

          Hello, for several times now we are getting URL_ROLLING_THROTTLES_LIMIT_EXCEEDED in the Failure tab. What does it mean, and how can we solve this? Thanks, M.

        • Link Purchase Order to Deal

          Zoho Books directly syncs with contacts, vendors and products in Zoho CRM including field mapping. Is there any way to associate vendor purchase orders with deals, so that we can calculate our profit margin for each deal with connected sales invoices

        • Possible to customise list of file attachment options?

          Is it possible to customise (disable/remove) the list of file attachment options (see screenshot below)? I would like the users to only use the options "Link (URL)" and "Other Cloud Drives". I have super admin rights to customise the CRM.

        • Automating CRM backup storage?

          Hi there, We've recently set up automatic backups for our Zoho CRM account. We were hoping that the backup functionality would not require any manual work on our end, but it seems that we are always required to download the backups ourselves, store them,

        • Adding custom_field to the items when creating item groups

          I am migrating products from my existing db to zoho inventory. So when grouping the products and creating items with the groups, I want to store my old skus in custom_field to be able to trace back the products. Isn't it possible to add custom_fields

        • URL for downloading uploaded file - THE SOLUTION

          Hi, I would like to share the solution for downloading uploaded files using url. There is no documentation for it and there are multiple forum threads with old solutions that didn't work for me. Here is the updated url - tested and works! fet = form_name[ID

        • All Tasks Queued for Last 3+ Hours

          How does one resolve this? All of my tasks, from many different Flows, are stuck in the "Queued" status. This is interrupting my business processes, which depend on the timely execution of automations.

        • Why can't I connect to the software suddenly? Network error, internal error, unable to contact you

          Why can't I connect to the software suddenly? Network error, internal error, unable to contact you

        • Auto Generated Invoice number YEAR

          Auto Generated Invoice number shows transaction year as 25 even though it's 24 still.

        • The Social Wall: December 2024

          Hey everyone, As the year comes to an end, and the festive spirit fills the air, we're thrilled to bring to you the final edition of the Social Wall for 2024. Let's see what updates went live during December, and then go on with planning the new year!

        • Not displaying a newly created window within an application

          On a specific stock trading application (see image below), when a newly created full screen operation is invoked (File->New) oft times it is invisible (the mouse input is correctly routed to the new window but the hover over contents shows the invisible

        • Last payroll of the year gives me an error

          Trying to run the last payroll of the year. The payment doesn't get to the employee until 1/1/25, which is correct. However when I try to process it I get the following error: Tax calculation is not supported for the year 2025. Please change the Pay date.

        • Global Outage - Please Update Current Status

          It looks like Zoho Mail services are down everywhere. Please update with current status and time-to-resolution.

        • Is the filename of an attachment restricted to only certain languages?

          Hi, I tried to create a file card in a notebook, but I encountered an issue: when the filename of an attachment is in languages other than the main ones (such as English, Japanese, or Simplified Chinese......), syncing stops or the filenames become garbled

        • Odd Authorization warnings

          I'm a superadmin for Zoho One and double-checed that I was an Admin role in Teams. Every once in awhile, I'll get a strange notification that I can't do something (usually deleting something although I am under the 250 thread limit). Is there somewhere

        • Zoho und die Art, Dinge zu tun

          Zoho und die Art, Dinge zu tun Ich habe Zoho seit über zehn Jahren in verschiedenen Projekten implementiert – einige groß, andere sehr groß – und habe sogar für einen der weltweit führenden Zoho-Partner gearbeitet. Jedes Mal, wenn ich ein Zoho-Implementierungsprojekt

        • Free webinar: Zoho Sign 2024 wrap-up - Everything that is new and has changed

          Hello, Are you looking up to catch up on all the updates made to Zoho Sign in 2024? Or are you still figuring out how you can use Zoho Sign better to get business paperwork done more efficiently? If so, we invite you to join us this Thursday, December

        • View of all Leads (+converted)

          Hi, Is there a View of all Leads this month includung converted? If not how can I create one? Thanks

        • Zoho Projects is down

          Is anyone else having problems getting to Zoho Projects?   We are getting a Zoho server error, impacting our business.... I thought Zoho had HA for their Applications!?

        • Develop and publish a Zoho Recruit extension on the marketplace

          Hi, I'd like to develop a new extension for Zoho Recruit. I've started to use Zoho Developers creating a Zoho CRM extension. But when I try to create a new extension here https://sigma.zoho.com/workspace/testtesttestest/apps/new I d'ont see the option of Zoho Recruit (only CRM, Desk, Projects...). I do see extensions for Zoho Recruit in the marketplace. How would I go about to create one if the option is not available in sigma ? Cheers, Rémi.

        • Zoho Payroll [India Edition] - ICICI Bank Integration

          It seems that ICICI integration with Payroll (and other Zoho apps) has become progressively more difficult this year. It was great until last year but then some apps started requiring a token generated on ICICI website. The whole point of Direct Deposit

        • Issue with EU MArketplace

          Hi It's super frustrating that many CRM / Zoho (whatever) extensions are not available in the EU Market place Example: https://marketplace.zoho.com/app/crm/time-tracker-extension-for-zoho-crm For now, can the team address the extension above, but on the

        • Add an action to set agent as a member of a team in zoho desk

          Hi, Please add an action to zoho flow to set agent as a member of a team in zoho desk (add to a team or remove from a team). Regards, Ram

        • Cant add owner to field update in workflow

          Hi there, Currently when i tried to add owner of the record of the module to the field update, i am unable to. Is there a way to do so?

        • Zoho Books API Limit Is RIDICULOUS!!!!!!!!!!!!!

          The 2,500 API call limit in Zoho Books is about as useful as AOL dialup.  Seriously Zoho, not only can I use up 2,500 API calls in no time with my own app but YOUR OWN STUPID IPAD APP blows through them super fast too, so if any one of my clients wants

        • CRM portal users can now log in using their mobile phone numbers

          Hello everyone! You can now invite portal users using their mobile phone numbers. These portal users will be able to log in using their mobile number and OTP. Templates for these portal-related SMS can be customized as per your needs. This enhancement

        • Zoho CRM: Las últimas novedades de 2024. ¡No te las pierdas!

          ¡Hola, Español Zoho Community! Aunque sabemos que en estas fechas muchos de vosotros estáis ya disfrutando de un merecidísimo descanso, no queríamos acabar el año sin haceros un resumen de las actualizaciones más interesantes de los últimos tres meses,

        • Assistance Required: Custom Model Record Not Visible in Zoho CRM Sandbox

          Dear Team, I hope this message finds you well. I have created a custom model in the Zoho CRM Sandbox account and am currently adding records to it using Python. While I am able to fetch the module data programmatically through Python, I am unable to see

        • Automatic Updates for Zoho Desk Extensions

          Dear Zoho Desk Team, I hope you're doing well. We would like to request the addition of an automatic update feature for Zoho Desk extensions. Currently, updating extensions requires manually searching for updates and clicking the update button. This process

        • Next Page