Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!




      • Sticky Posts

      • Kaizen #217 - Actions APIs : Tasks

        Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

      • Kaizen #216 - Actions APIs : Email Notifications

        Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

      • Kaizen #152 - Client Script Support for the new Canvas Record Forms

        Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved

      • Kaizen #142: How to Navigate to Another Page in Zoho CRM using Client Script

        Hello everyone! Welcome back to another exciting Kaizen post. In this post, let us see how you can you navigate to different Pages using Client Script. In this Kaizen post, Need to Navigate to different Pages Client Script ZDKs related to navigation A.

      • Kaizen #210 - Answering your Questions | Event Management System using ZDK CLI

        Hello Everyone, Welcome back to yet another post in the Kaizen Series! As you already may know, for the Kaizen #200 milestone, we asked for your feedback and many of you suggested topics for us to discuss. We have been writing on these topics over the

        • Recent Topics

        • Loading Project Balances in ZOHO Books for each project

          Hello, What is the best method for loading project balances actual and budget into ZOHO books to provide tracking to our project managers. We have projects and federal awards (also treated as projects) which span multiple years. We are converting from

        • Request to Remove LinkedIn Verification from My Emai

          I would like to submit a complaint regarding my Zoho Mail account. I previously used this email address to verify a LinkedIn account, but that LinkedIn account has now been closed. I need to remove or cancel the verification associated with the closed

        • Introducing the all-new email parser!

          Greetings, We are pleased to introduce to you, a brand-new, upgraded version of the Zoho CRM Email Parser, which is packed with fresh features and has been completely redesigned to meet latest customers needs and their business requirements. On that note,

        • Zoho Projects - Refine Access to Collaboration Menu

          Hi Projects Team, I noticed that Calendar, Chat and Meeting menu options in the Collaboration section are visible to client users, even when they don't have access to the features. This could be confusing and frustrating, because if it's there you expect

        • Kaizen #217 - Actions APIs : Tasks

          Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

        • Extracting Images from a Zoho Creator Report into a Pages

          If you’ve uploaded images in a form and can see them in your report, you might also want to display those same images inside a Page (custom HTML page). This is useful for dashboards, profile pages, or any place where images should be visible dynamically

        • Zoho is blocking emails I subscribe to from one sender

          About 4 months ago I stopped receiving newsletters that I subscribe to from @thedispatch.com. They tell me that zoho's server is blocking them. I've added them to my contacts list, but they're not even reaching my inbox. I don't know how to troubleshoot

        • Inactive Items - Make Less Prominent by Default

          Currently, when one marks an Item as "Inactive", it really doesn't do much of anything to hide it or get it out of the way. Search and reporting within Finance should, by default, hide inactive Items from standard reports, searches, etc. If one specifically

        • Items should display under specific warehouse

          I have configured the multi warehouse but it show all the items under all warehouse which is not correct according to our business logic, so i want that items should only display under that specific warehouse not under all the warehouses not even with zero quantity. Some items should be common but not all so is there any option for that purpose so i can specific the items to its warehouse. Regards

        • How to calculate GST based on "Ship To Address"

          We into the interior designing work, providing "Works Contract Services" to our clients across India. We are registered under GST in Maharashtra state. For works contract services as per the GST rule, we need to decide place of supply based on "Ship to

        • I NEED TO NUMBER TO TEXT NO HERE

          =NUMBERTEXT NEEED

        • Auto-fill New Row with Previous Row Values

          rowsize = input.Order_Items.count(); for each row1 in input.Order_Items { rowsize = rowsize - 1; if(rowsize == 1) { row.Door_Model = row1.Door_Model; row.Door_Color = row1.Door_Color; row.Materials = row1.Materials;

        • When I click on PDF/PRINT it makes the invoice half size

          When I click PDF / Print for my invoice in Zoho Books, the generated PDF appears at half size — everything is scaled down, including the logo, text, and layout. The content does not fill the page as it should. Could someone advise what causes Zoho Books

        • Python - code studio

          Hi, I see the code studio is "coming soon". We have some files that will require some more complex transformation, is this feature far off? It appears to have been released in Zoho Analytics already

        • API question - adding a thread to an existing ticket

          Hi Is there an API function for the customer to add to an existing ticket thread? example, customer puts in new support ticket. support replies and ask for more details. customer replies with more details -what api function is used for this (will add record append to same ticket number?) Thanks

        • Why is Zoho Meeting quality so poor?

          I've just moved from Office 365 to Zoho Workplace and have been generally really positive about the new platform -- nicely integrated, nice GUI, good and easy-to-understand control and customisation, and at a reasonable price. However, what is going on

        • Items Below Reorder Point Report?

          Is there a way to run a report of Items that are below the Reorder Point? I don't see this as a specific report, nor can I figure out how to customize any of the other stock reports to give me this information. Please tell me I'm missing something s

        • Calendar week view: Today + 6

          Is there anyway to have the calendar change dynamically based on the date? Due to the amount of events, we only display a week at a time, but towards the end of the week, we can no longer see ahead to next week (without changing it manually every time).

        • How to restrict user/portal user change canvas view

          Hi , I would like to restrict user / portal user change their canvas view because I hide some sensitive field for them. I dont want my user switch the canvas view that do not belong to them But seems Zoho do not provide this setting?

        • Introducing parent-child ticketing in Zoho Desk [Early access]

          Hello Zoho Desk users! We have introduced the parent-child ticketing system to help customer service teams ensure efficient resolution of issues involving multiple, related tickets. You can now combine repetitive and interconnected tickets into parent-child

        • How to add to Subforms via Zapier with Zoho Writer?

          I have the following layout for a Zoho Writer Document. As you can see there is a repeating subform taking in "Items". I am trying to make a Zapier integration with it, and I can see there is 1 field saying: "Items", but it does not specify how I'm supposed

        • Contrôles administratifs granulaires : un atout pour la sécurité des e-mails

          La moindre erreur dans votre système de messagerie peut coûter très cher à votre entreprise, tant en argent qu’en conformité et en image de marque. Pour beaucoup d’organisations, ce risque est bien réel. Les e-mails véhiculent quotidiennement des informations

        • Collections Management: #6 Realign Customers who gets back In-Term

          Arun stared at the subscription list on his dashboard. Another account had just been moved to Cancelled status after completing the whole dunning process. Nothing unusual, just that payment failures happen, retries fail, and cancellation is the expected

        • Zoho Mail IP Blacklist

          I need problems with send mails: Error: junk mail rejected - sender4-op-o10.zoho.com 136.143.188.10, is in RBL. Spamcop. Please remove FQDN for blacklist. Regards.

        • I can receive but not send emails

          Hello, I've been not able to send emails for almost a year now. I been using alternate email to do this. I want to know how to fix this so I can use my zoho account normally again.

        • The challenge of 24/7 connectivity: Being present and meeting customer expectations

          Before television entered our homes, radio was our window to the world. We had to tune carefully to catch voices from distant places. When television arrived, the world began to grow smaller. We can watch rocket launches, see the goal that wins our favorite

        • How to download all attachments from inbox, send, other folders in one go

          Hi All, Appreciate if anyone could help me with steps for below requirement. How to download all attachments from inbox, send, other folders in one go. Even mapping to new folder will help me. Thanks in advance.

        • Cannot connect mail accounts to Thunderbird

          Hi Support - I'm attempting to add my mail accounts to Thunderbird but I'm getting an unable to login to server error. I tried to use the password associated with my account I received the unable to login error. So I went into Zoho Accounts and generate

        • Alias Email Id already exists

          Hi, I just verified my domain sesque (dot) com and now I am trying to create the admin account using admin (at) sesque (dot) com, but I am getting an error saying "Alias Email Id already exists". I used to have another Zoho account with this email address,

        • Unable to connect to smtp server, connection timed out

          Hi Team, I am facing below issue, while sending out emails from thunderbird client. It used to work, facing this issue from morning. Error: Sending of the message failed. The message could not be sent because the connection to Outgoing server (SMTP) smtp.zoho.com

        • javax.mail.authenticationfailedexception 535 authentication failed

          Hi, I am facing 535 authentication failed error when trying to send email from zoho desktop as well as in webmail. Can you suggest to fix this issue,. Regards, Rekha

        • DKIM Verification Failed (Namecheap)

          Hi! I have already set up the TXT records in Namecheap but I keep getting the "Verification Failed" pop up. Was wondering if I'm the only one who has this problem and can anyone help me with this? Thanks!

        • Emails stuck in Queue

          Hi there, Since yesterday I have a few out going emails stuck in a queue. It say it will auto retry sending however nothing is happening. It seems to be affecting roughly 50% of my outgoing emails. Please help Thanks

        • Soft Bounce from transational emails from BREVO (Sendinblue)

          I manage the website of a client who uses your EMAIL service for the domain floranativadobrasil.com. And I use the BREVO email service, previously called SendinBlue, to send transactional emails about events specific to the website. All emails sent to

        • Ability to Edit YouTube Video Title, Description & Thumbnail After Publishing

          Hi Zoho Social Team, How are you? We would like to request an enhancement to Zoho Social that enables users to edit YouTube video details after the video has already been published. Your team confirmed that while Zoho Social currently allows editing the

        • Getting an error Address not found Your message wasn't delivered

          Hey, I'm trying to configure zoho mail for my website https://businessentity.org/ The email is meredith.karter@businessentity.org I'm able to successfully send the mails but when someone sends an email to above mail, this error shoots up: Address not

        • Support Uploading YouTube Videos Longer Than 60 Minutes

          Hi Zoho Social Team, How are you? We would like to request support for uploading YouTube videos longer than 60 minutes directly through Zoho Social. Your support team informed us that Zoho Social currently cannot upload videos over 60 minutes due to “API

        • Need Faster Help? Try Live Chat Support

          Hello there, We understand that sometimes, whether you’re facing an issue, exploring a feature, or need quick clarification, sending an email and waiting for a response just doesn’t cut it. You need answers, and you need them now. That’s exactly why we

        • Can't deactivate Spell Check

          Hi Community, right now I'm using the Zoho Mail Desktop-Software. So far, so good.. many possibilities. Overall very nice. What is extremely annoying right now, is that we are not able to deactivate the Spell Check feature. And we are barely able to focus

        • Zoho Toolkit Email Signature Generator

          I'm having real issues with the email signature generator with no matter where I host the photo, Zoho doesn't seem to show the photo on the link provided?

        • Next Page