Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!





        • Recent Topics

        • Add an action to set agent as a member of a team in zoho desk

          Hi, Please add an action to zoho flow to set agent as a member of a team in zoho desk (add to a team or remove from a team). Regards, Ram

        • Cant add owner to field update in workflow

          Hi there, Currently when i tried to add owner of the record of the module to the field update, i am unable to. Is there a way to do so?

        • Zoho Books API Limit Is RIDICULOUS!!!!!!!!!!!!!

          The 2,500 API call limit in Zoho Books is about as useful as AOL dialup.  Seriously Zoho, not only can I use up 2,500 API calls in no time with my own app but YOUR OWN STUPID IPAD APP blows through them super fast too, so if any one of my clients wants

        • CRM portal users can now log in using their mobile phone numbers

          Hello everyone! You can now invite portal users using their mobile phone numbers. These portal users will be able to log in using their mobile number and OTP. Templates for these portal-related SMS can be customized as per your needs. This enhancement

        • Zoho CRM: Las últimas novedades de 2024. ¡No te las pierdas!

          ¡Hola, Español Zoho Community! Aunque sabemos que en estas fechas muchos de vosotros estáis ya disfrutando de un merecidísimo descanso, no queríamos acabar el año sin haceros un resumen de las actualizaciones más interesantes de los últimos tres meses,

        • Assistance Required: Custom Model Record Not Visible in Zoho CRM Sandbox

          Dear Team, I hope this message finds you well. I have created a custom model in the Zoho CRM Sandbox account and am currently adding records to it using Python. While I am able to fetch the module data programmatically through Python, I am unable to see

        • Automatic Updates for Zoho Desk Extensions

          Dear Zoho Desk Team, I hope you're doing well. We would like to request the addition of an automatic update feature for Zoho Desk extensions. Currently, updating extensions requires manually searching for updates and clicking the update button. This process

        • Issue with skip_workflow Not Preventing Edit Workflow Trigger

          Hi Team, I am trying to upload a file to a form in Zoho Creator. However, during the upload, an edit workflow is being triggered. I want to prevent this workflow from running, so I have used the skip_workflow parameter as mentioned in the API documentation:

        • Unable to unlink a Bigin account from Zoho Campaign

          I have an old Bigin account that not longer exists but somehow it's still linked by my Zoho campaigns. I am trying to unlink the old Bigin account so I can add my new Bigin account, but when I deny access to the old one, nothing happens (it won't unlink

        • Zoho Upgrade Failure Multiple TImes

          I want to add users to my Zoho CRM. I have carried out the process up to OTP verification, but then it always fails at the confirmation stage. This failure has occurred repeatedly even though the OTP has been successful. Is there a solution to this

        • Import from GoHighLevel to Zoho CRM

          Has anyone been successful with this? I don't want to integrate with GoHighLevel just import/migrate everything over to Zoho

        • No data/body passed to REST server for DELETE by InvokeURL

          Hello Zoho, It seems no data or body of HTTP request is passed to REST server when request type DELETE is used for InvokeURL function. I tried to send DELETE using cURL command and from Python, it worked without problem. The problem occurs only with Deluge's

        • Recurring Bookings

          Will Zoho Bookings ever offer an option to the customer to schedule recurring meetings (unlimited) for the same days/times? Making a client schedule the same days/times for an entire month is a tedious process. I'd like to offer the option upfront to

        • iCloud integration

          I noticed from reading other threads that native integrations with Google Meet and Microsoft Teams are right around the corner. Are there other integrations and fixes to existing integrations coming? There are 2 things keeping me from using Zoho Bookings:

        • How do I associate pricebooks to a customer?

          I setup a few pricebooks, that worked fine. But now the only thing I can do with it, when I enter a quote or sales order, I can select which pricebook to use, but I have to do this product by product every time I add one. Is there a way to connect a pricebook

        • Introducing Dark Mode / Light Mode : A New Look For Your CRM

          Hello Users, We are excited to announce a highly anticipated feature - the launch of Day, Night and Auto Mode implementation in Zoho CRM's NextGen user interface! This feature is designed to provide a visually appealing and comfortable experience for

        • Subforms and automation

          If a user updates a field how do we create an automation etc. We have a field for returned parts and i want to get an email when that field is ticked. How please as Zoho tells me no automation on subforms. The Reason- Why having waited for ever for FSM

        • Pulling Specific Products from Sales Orders in Books to a CRM Record

          We currently process orders directly through our website (woocommerce) as well as through manual sales orders in zoho books. When an order comes through the website, all of the individual products from that order show up in the CRM record of that customer.

        • Functions - How to pass Dynamic Parameters / Arguments?

          I am trying to create a generic function that I can use to update a given field with the name of the user and a given field with a datetime. The purpose of this is to have a history of major actions within the CRM record itself so it is easier to query

        • Locking Certain Feilds

          Hello! I was wondering if there was a way to lock certain fields from being changed until another field had been filled in. For example, my origination has a chain of blueprints that have to be filled in for someone to properly convert from the "Leads"

        • How to void partially paid bill?

          Hello. I have following problem and can't figure out how to solve it. I created a bill from vendor for 180gbp for purchase of some items. It was partially paid (60gbp) and so far so good - 120gbp overdue and items were successfully added to inventory

        • Email Notification to WordPress Blog Subscribers

          You know when a new WordPress blog is published, your subscribers will be notified via email with a link to that blog? Jetpack does it but I'm hoping to get away from it or any other specialized WordPress plugin (like MailPoet), and instead, use a dedicated

        • CRM workflow to trigger Zoho Sign (One)

          Hi,  We have had integration in the past with SignNow in our standard CRM. A onboard would fill out name and address and in turn this would trigger a webhook out of Zoho CRM into Zapier and to SignNow. We've recently upgraded to Zoho One and cannot find anyway to automate the Sign process from CRM to Zoho Sign, is this possible?

        • Lookup field - Can I avoid using advanced search?

          I have a lookup field in my app that has surpassed 500,000 records, now basic search is disabled and I'm forced to use advanced search. That adds multiple steps to what used to be very simple. Before: Select field > Type last digits of product code and

        • Calendar View for Zoho Tickets

          Is there a way to view your tickets with due dates on a calendar view? I can not find a way to merge my Zoho Calendar and Tickets. This would be extremely helpful to my team.

        • Zoho Book - Banking Module - Cash Credit account

          I have a CC account with a bank. I initially added the account as a 'Bank Account' under the banking module in Zoho Books. However, this CC Bank Account is showing as an asset instead of a liability. I have added the account as a credit card account but

        • Zoho Sign Custom Domain

          Any plans for Custom Domain?

        • Multiple date selection

          Hello, we want create app for our company. We need create tasks for our employers. For example - 1 employer have task every Friday the whole year. Second have task every Monday for 6 months. For simple way create Multiple date selection in date form

        • Book project costs to tasks

          Hi all, New to zoho but far from new to this sort of platform. I've been scouring the web for a suitable platform for my growing business. I'm currently using Xero and WorkFlow Max but it lacks a key need. I signed up to zoho projects and books to test

        • SalesIQ-Desk integration update: Seamless helpdesk ticket editing in-chat!

          Did you know you can now edit your desk support tickets within SalesIQ? Happy to announce the latest update to the SalesIQ-Desk integration. Managing your customer support tickets within SalesIQ just got even smoother and better. No more toggling between

        • Been getting this error, every now and then "Get count limit exceeded, please try again after 3 mins"

          it is really annoying.

        • Route Optimizer

          Does Zoho Inventory offer route optimization for our in-house deliveries? It will save us time to manually route our daily orders. Thank you

        • Campaign API Error 2001

          I'm getting a 2001 Error stating "Error in subscription. Please try after some time." I've waited but it continues to persist. I"ve copied and pasted the exact request on the API website yet that doesn't work either.

        • How to list Expenses that have not been matched to a Bank Transaction

          In ZoHo books I use expenses to record invoices I receive. I know I should probably uses Bills for this but Bills was not available in the Free edition I initially used. When I upgraded I contunued to use Expenses. I'm trying to find a way of listing

        • How are you handing birthdays?

          I'm deciding on the best way to handle contact birthdays in my set-up. None of the options seem ideal, so I am interested in how others approach this. The aim is to have a usable ui to track birthday without knowing or requiring the year. I'm currently

        • Fiverr is better than Zoho Partners

          For anyone out there looking for help with Zoho Creator's confusing Deluge, I highly recommend hiring NON ZOHO PARTNERS on Fiverr. I've had much better experiences with those who are NOT certified by Zoho. Almost every single "certified" zoho partner

        • Marketing Automation pour maximiser le ROI : évaluer les performances et optimiser les campagnes

          Le Marketing Automation a transformé la manière dont les entreprises mènent leurs actions marketing, offrant une solution efficace pour simplifier les processus, améliorer la productivité et, surtout, maximiser le ROI. Dans un environnement commercial

        • Spotlight series #25 - Create presentation outlines using Zoho Show's Chrome extension

          Hello all, the feature in this month's spotlight is Zoho Show's Chrome extension. The first step to creating a good presentation is outlining your ideas—a crucial process that sets the foundation for everything that follows. But this often involves extensive

        • Will zoho thrive be integrated with Zoho Books?

          title

        • Multi-line fields character limits

          Is there a way to set the character limit higher on multi-line fields so that we are not losing information pasted into the field? When the text is entered or pasted, there is no error to say that the text is too large. After saving and going back to view most of the text is gone.   Also, when viewing the resume, the text is not wrapped in the multi line fields and can t be read without scrolling across the page.

        • Next Page