Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!





        • Recent Topics

        • Building a custom site

          do we have an option in Zoho to build custom sites like adding custom functionalities? want to make a site like https://trackscourier.com/jnt-tracking-ph/. Is it doable? Please assist.

        • Confirmation prompt before a custom button action is triggered

          Have you ever created a custom button and just hoped that you/your users are prompted first to confirm the action? Well, Zoho knows this concept. For example, in blueprint, whenever we want to advance to the next state by clicking the transition, it is

        • Selecting ZOHO Help Desk Plan for Startup

          Hello everyone, We at unisouk are setting up a Product support team for our platform. and probably we will be team of 3-5 people. Which plan would cater my needs to address customer technical queries and maintain the inflow of various channel queries

        • Where do we manage tags?

          Where is the page where we can view all tags and manage them (like change a tag name to something else or merge tickets under a particular tag with another)?

        • Possibilité de créer des boutons de raccourci dans les tickets Zoho Desk

          Bonjour, J'ai développé plusieurs automatisations avec Zoho Deluge pour optimiser la gestion des tickets. Je souhaiterais savoir s’il est possible de créer des boutons de raccourci directement accessibles dans l’interface des tickets afin de déclencher

        • Update to the Merge Tickets Functionality

          This is to inform you about a significant update to the Merge Tickets functionality in Zoho Desk.  Until now, while merging tickets, a user could set one ticket as the master ticket and choose the final value for any field from any of the secondary tickets too. As a result of this provision, many a time, crucial details related to the master ticket faced the risk of being excluded in the final, merged ticket. To overcome this challenge, we have decided to make the value of some critical fields unchangeable,

        • Setting up CRM for RFP workflow management

          This will be the first time our organization uses an off-the-shelf CRM, transitioning from our homegrown custom solution, and I would appreciate general thoughts on how to get started in general with our workflow using Zoho CRM. The main question: if

        • Integrating Calendly with Zoho Calendar in Zoho Mail

          I moved my office into a business incubator space that uses Calendly for meeting management and events. Calendly doesn't have a integration with Zoho Calendar and vice versa. I was directed to Zapier for integration but it doesn't have an integration

        • Unable to access Zoho Desk at all - has an extreme slow load and then just remains blank

          This is all I see:

        • Demande : Épingler automatiquement un commentaire via Deluge

          Bonjour, Je suis utilisateur de Zoho Desk et j'ai développé une fonction avec Zoho Deluge permettant d'ajouter automatiquement un type de commentaire à chaque création de ticket. Cependant, j'aimerais pouvoir épingler ces commentaires directement depuis

        • Unknown error occurred

          Hi, When we want to publish or edit a page in our website, we encounter with "Unknown error occurred" problem. I share a screenshot here. Our website is www.essoft.com. It happens every page. We want to solve this ASAP.

        • Using Creator API access tokens in deluge script

          I am working on generating download urls for files that are uploaded via a creator form. I want to include these urls in record templates so they can be easily accessed. The goal is to make downloading multiple attachments in a record as quick and easy

        • Option to Re-order from past orders

          Customers would like to place a repeat order with the business entity. Currently there is no option to support this and everytime the customer has to check out following the same process. Can a option be given to reorder from the past orders?

        • Display your zoho contact name when they call your mobile number

          As per the title If a contact calls the office number, the contacts name shows on mobile as long as I have their contact details registered in my crm. Is there a way that if the contact calls my mobile, their name can be displayed? Currently just their number shows when they call.

        • US to EU Data Migration done / Workflows and Custom Functions stopped working

          Hello, I need help to restore my workflow rules and custom functions to work. My data was transferred from the US to the EU (Data center migration). Now all Workflow Rules and Custom Functions not working. I have no idea how to restore them to work again.

        • Custom view for Milestones

          Hi, Just an idea for the future... would it be possible to create custom views for the Milestones view under Work Overview ? I usually need to look at this view filtered by project group but the filter doesn't remain when navigating away. A custom view

        • Getting error during inserting a record in form of zoho people using zoho api

          import requests import json # Set your access token and Zoho People API base URL access_token = '1000.XXXXXXXXXXXXXXX.XXXXXXXXXXXXXXXXXXXXX' api_base_url = 'https://people.zoho.in/people/api/' # Set the form name and data to be inserted form_link_name

        • Email an Invoice from API

          When calling the API to email an invoice, it seems it does not actually send it. Below is a screen shot where I used an API call for the bottom record, and it updated its' status to "Due Today", but no email was actually sent. The top record, I hit the

        • How to delete Email Sent From CRM from Contact Records

          I can't figure out how to delete email sent form CRM from contact records. Can you please advise? 

        • Is there a Kanban view of Tasks across all Projects?

          As the title indicates, I could use a Kanban view of my Tasks across my Projects. If it's there, I don't see it. If it isn't there, I'd like to submit this as a feature request. Thx.

        • CRM Deluge how can link attach file with workdrive file.

          Hi, We have create file at workdrive and would like to link to attachment at crm module by deluge. Right now can only upload it to attachment but can not link the file from workdrive. Thank you

        • Tropicalize Books

          Books is an incredibly powerful tool that works well in many countries. But I feel that it is a product that is not yet "tropicalized" for Brazil as we speak (this would be like adapting the local reality). We have many strong competitors who do more

        • Refund of a check distribution fee...

          I use cashiers checks, from my local credit union, to pay some bills very occasionally. They charge me a 5.00 fee for this service, but then refund me that same amount at the end of the month on my statement. How would I record this transaction in Zoho

        • Usuários do Zoho Recruit no Brasil

          Gostaríamos de interagir com outros usuários do Zoho Recruit. Acabamos de completar um ano de utilização. Quem mais usa? se usa outra qual é?

        • Zoho Creator Upcoming Updates - December 2024

          Hi all, We're excited to be back with the latest updates and developments on the Creator platform. Here's what we're going over this month: Deluge AI assistance Rapid error messages in Deluge editor QR code & barcode generator Expandable RTF and multi

        • Questions about To Do

          1. I created a To Do note on Android and there is a line sorting option in the options drop down menu. But I didn’t find such an option in the PC client. I really need this option. 2. Why is there no search in To Do on the PC client? 3. Why is there no

        • Introducing Offer Details Sync to Zoho People

          We've introduced a new option for the Zoho People integration that allows you to push offer details when a candidate is converted to an employee. This simplifies your recruitment-to-onboarding process by seamlessly syncing critical offer information,

        • Conversion of functions from Google Spreadsheets

          Hello! I use this formula "=QUERY(ResumoOrdemVencimento!A3:O38;"SELECT A,B,C,D,E,F,G,H,I,J,K,L,M,N,O WHERE C != '' ORDER BY C,G")" in Google Sheets but when importing my spreadsheet into Zoho Sheets the formula was not converted. The QUERY function brings data from another spreadsheet, and then I sort and apply conditional formatting. The order of data will change automatically as I update the source spreadsheet. What Zoho Sheets function is equivalent to QUERY? I have some other spreadsheets to

        • Copy, Duplicate, or Clone a Custom View?

          I searched the forums and didn't see anything on the subject. Is there a way to copy, duplicate or clone a custom view? I want a custom view similar to one I've already created. I just want the columns in different order.

        • Import from OneNote

          Is there a way to import notes from OneNote? 

        • In Zoho Forms - adding a Zoho CRM field for Contact barely shows any fields.

          I'm making a Zoho Form and I want to add a CRM field for Contact. I was expecting to be able to match the contact on the email address provided in the form. My standard layout has lots of fields but for some reason on the dropdown list in Zoho Forms,

        • Is Bigin Really Free - Confused by notifications?

          I started to look at Bigin as I was under the impression it was free, but as I started using it I kept getting messages that my trial period was X number of days and to upgrade. When I see something like this I assume I am not on a free version of anything

        • Tracking a loan from an investor - a new Bank or Credit Card

          I have an investor providing money from a HELOC (Home Equity Line Of Credit). I have also turned around and loaned this money to another company. But I want to track my outstanding balance of the debt that I owe to the HELOC. Would I / should I track

        • Introducing Zia LLM: Zoho’s in-house Generative AI solution for CRM's AI capabilities

          Hello everyone, We're excited to announce the launch of our in-house Large Language Model (LLM) by Zia to power our AI offerings. What is LLM? LLM stands for Large Language Model, a powerful AI technology that processes and generates human-like text based

        • The Zoho Meeting Video Quality Crisis

          I'm evaluating Zoho One for my business in Switzerland, and I must address a critical concern that threatens our potential adoption of the platform—the persistently poor performance of Zoho Meeting's video conferencing capabilities. In today's digital-first

        • Pay run Error

          Trying to run the last payroll of the year. The payment doesn't get to the employee Due to Technical Glitch in Tool, kindly Help us and resolve IT's showing Technical Glitch from Bank Website But bank People saying contact Zoho team for further solu

        • How to make the default currency type in a certain module different from the base currency>

          We have US dollar as the base currency. Also we have two more other currency types. In a custom module, we would like to make another currency as the default one rather than USD. Is it possible to do? How? Thank you very much!

        • Track Contact's Employment/Account History

          Thank you in advance for all of your help! Is there a way, within Zoho, to keep track of a contact's employment history? For example, if John Doe is my contact at Account 1, but leaves the company and is hired by Account 2, can I... ...maintain John Doe

        • CRM became very slow

          Plz check asap. image failed to upload , workflow doesn't run

        • ZohoCRM Workflows Not Triggering After Tool Recovery

          I noticed that ZohoCRM experienced an issue earlier, and according to the status webpage (https://status.zoho.com/), all tools were reported to be fully restored as of 03:00 (PST) on December 30, 2024. However, ZohoCRM workflows are still not triggering

        • Next Page