Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


    • Recent Topics

    • Where are scheduled emails stored?

      After you schedule an email to go out through the CRM, how do you go about changing that scheduled email? Or even where can I see the list of emails scheduled to go out? They are not listed in my Zoho Mail account in Outbox which has been the only answer

    • CRM Home Page Dashboard, how can i add zoho desk cases?

      How can i see which tickets are in my group as a dashboard component on the home tab in zoho crm? I don't see any way of adding this.

    • Custom Module missing SDK function fetchRelatedRecords(...) in a Client Script

      Good day, We have added a new module with a Multi-Lookup relation to Contacts.  When we tried to use the fetchRelatedRecords(id, related_list_api_name) function to get Related Records it is missing for our new custom module. https://js.zohocdn.com/crm/5124797/documentation/DotSDK/Modules.html

    • Assistance with Setting Default Values for Zoho Chat Custom Fields

      I am currently using the Zoho Chat JavaScript API to successfully add custom fields to the chat interface. While the implementation of these fields has been smooth, I am now looking to set default values for these custom fields. However, I couldn't find

    • Subform Client Script

      Good day,  I have a subform where users can subscribe to various magazines. I would like to prevent the user from selecting the same magazine twice when adding a new row. Is there a way to prevent the user from doing this? (Can it be done via a client

    • Serious question: Are there actually "solo-preneurs"/small business owners who made Zoho-one work well for them?

      L.S. After already many years of continued struggle with Zoho-One, I am seriously wondering if there are actually solo-preneurs (one person small business owners - without a large, dedicated IT dept.) who got it (Zoho-One) to work well for their businesses.

    • Calendar Bookings in Recruit

      Hi there, We have recently started using Zoho recruit and although it has some great functionality there are a few gaps that are causing real headaches. One of those being how interviews are scheduled. The majority of our hiring managers are field based

    • Getting Error : Developer Tool Detected

      Hi Team, Getting the error during open the portal, error attached on the same ticket. Please check and help us to resolve the same.

    • Send Zoho Creator Template by Email or sendemail

      Hello All Question:- How we can send the Zoho creator email template using the send email by the workflow or using the Function? by the Workflow sendmail [ from: zoho.adminuserid to: "zohodeveloper@yopmail.com" subject: "Test Template" message: "Test

    • Upgraded to Zoho One but Zoho Meeting still says Free Plan

      I signed-up for the Zoho One plan. When exploring the applications included, I came across a problem with Zoho Meeting. It says it's the free plan. I emailed support but they sent me a link that doesn't work and, when I found the article on my own, it

    • 新年のご挨拶、直近のイベントスケジュール

      🎍🐍謹賀新年🎍🐍 ユーザーの皆さま、明けましておめでとうございます! コミュニティチームの中野です。 本年もよろしくお願い致します。 昨年のZoho Japanコミュニティでは、東京・大阪・名古屋・福岡 4都市でのユーザー交流会開催や、自社最大イベント「Zoholics Japan 2024」でZoho Championの皆さまとのパネルディスカッション、10月の東京ユーザー交流会では本社CRMプロダクトマネージャーを招きロードマップ解説セッションの実施、さらにZohoアンバサダープログラムのローンチ(近日公開予定)など、新たな取り組みに挑戦しました。

    • Request to Customize Module Bar Placement in New Zoho CRM UI

      Hello Support and Zoho Community, I've been exploring the new UI of Zoho CRM "For Everyone" and have noticed a potential concern for my users. We are accustomed to having the module names displayed across the top, which made navigation more intuitive

    • Client script: Can not choose a date field for an onChange field event

      Hi Zoho Team Why can't I choose one of my date fields to trigger an onChange event? Is this a client script limitation, or something wrong with my instance? If it is a limitation, is this mentioned in the documentation anywhere? Thanks. Marcus

    • Upgrade User

      Hi Sir/Madame, I have 7 users in my organisation but I need upgrade more space only 2 users. Is it possibe? Thanks

    • Dashboard Auto-refresh

      Why is there no Auto-refresh on the Dashboard? People have been asking for the last 6 years for this function from what I can see in my reasearch, it seems like a very simple intergration for Zoho to achieve. on Sept. 2, 2014, this was added: Support

    • Console error with widget in View mode, not present in Edit Mode with ZOHO.CRM.API.updateRecord(config)

      hello i have that function to update an account records (from a widgets created with sigma) function handleCopyButtonCRMClick() { console.log('handleCopyButtonCRMClick'); /* * Fetch Information of Record passed in PageLoad * and insert the response into

    • add meeting link

      i want to add A meeting link in the mail when the user book the appointment then with the conformation mail i want to add meeting link there

    • Zoho One - White Label

      Releasing a white-label feature for Zoho One, or any software or service, can offer several advantages and benefits for both the company providing the software (Zoho in this case) and its users. Here are some key reasons for releasing a white-label feature

    • Missing parameters in request, any way i can figure out what parameters i need to add?

      const url = "https://people.zoho.com/people/api/forms/json/P_Task/insertRecord"; const inputData = { "Status": "Open", "Description": "Task to set up and configure Zoho Mail on desktop application.", "CreatedTime": "01-Jan-2025 10:30 AM", "Due_Date":

    • Running Total % in Pivot with filters

      Hi there, I have seen a few posts on this topic, but i cant seem to find one that will work when applyig filters to the data. I have Rows and Data in a pivot view I want to show the running total of revenue as a % of the total for the data set. If i add

    • Included in Zoho One?

      Will LandingPage eventually be included in Zoho One?

    • Add an "Impersonate" feature to Zoho Projects

      It would be nice to have an "impersonate" feature added to Zoho Projects that would allow administrators to impersonate employees to enable administrators to see for themselves what employees can and cannot see in the system. I am aware of all of the

    • Select CRM Custom Module in Zoho Creator

      I have a custom module added in Zoho CRM that I would like to link in Zoho creator.  When I add the Zoho CRM field it does not show the new module.  Is this possible?  Do i need to change something in CRM to make it accesible in Creator?

    • GROUPING OF CUSTOMER

      SIR PLEASE ADD GROUPING OF CUSTOMER IN ZOHO BOOKS

    • Zoho LandingPage is integrated with Zoho One!

      Greetings to the Zoho One users out there! We're delighted to let you know that Zoho LandingPage is available in Zoho One too! With Zoho LandingPage, you can host custom-made landing pages, and persuade the visitors to dive deeper by making further clicks,

    • 2024 Wrap: Rediscover these features and enhancements in Zoho CRM

      Hello everyone! I wish all of you a joyful and prosperous 2025! As we welcome 2025, I’m excited to share a recap of the year 2024 and highlight some of the coolest new features and enhancements we’ve added to the Zoho CRM platform. Last year, we announced

    • A quicker way to provide accountants access to Zoho Books, similar to Xero and Quickbooks

      Hey guys, I'm finding the procedure to give access to an external accountant to Zoho Books less than ideal. Having to create an account by Zoho instead of myself, and then wait for it to be given a license to then pass to the accountant seems a bit time

    • This user is not allowed to add in Zoho. Please contact support-as@zohocorp.com for further details

      Hello, Just signed up to ZOHO on a friend's recommendation. Got the TXT part (verified my domain), but whenever I try to add ANY user, I get the error: This user is not allowed to add in Zoho. Please contact support-as@zohocorp.com for further details I have emailed as well and writing here as well because when I searched, I saw many people faced the same issue and instead of email, they got a faster response here. My domain is: raisingreaderspk . com Hope this can be resolved.  Thank you

    • Update Candidate Status Through Workflow in Blueprint

      Hi Team,  We have a blueprint built out with custom functions that update particular fields based on candidate actions. When particular fields are updated we need to move the candidate forward in the blueprint. We tried to do this through a workflow,

    • Zoho Canned respond do have a huge lag issue.

      Previously the Zoho canned respond works perfectly ... on once server update and all the Canned respond enconter huge lag... in the end cause most of the canned respond just shown code with /xxx and not the sentence....

    • ShipStation and Zoho Inventory

      Hello, I am looking to sync zoho inventory with shipstation ZOHO INVENTORY           SHIP STATION Sales Order  ==>  create ORDERS INVOICE  <==    Shipments What exactly does BETA mean on the Shipstation connector?  This is required for me to sign-on in the next month. Thanks in advance for your efforts

    • Saving slide elements

      I have created grouped items including text and animation that I want to use in later slides. (Like an animated logo) Is there a way to save these grouped elements in my library?

    • Are downloadable product available in Zoho Commerce

      Hi all. We're considering switching to Zoho Commerce for our shop, but we sell software and remote services. Is there a features for downloadable products? I can't find any information about this. Thank you very much Alice

    • Function #10: Update item prices automatically based on the last transaction created

      In businesses, item prices are not always fixed and can fluctuate due to various factors. If you find yourself manually adjusting the item rates every time they change, we have the ideal time-saving solution for you. In today's post, we bring you custom

    • Move site from WIX to ZOHO Sites

      I have a simple website on WIX.  I am wondering if someone is available to help me move this website - https://www.videothreezero.com/ to ZOHO.  Michael  Boston

    • zoho calendar week view - "super compact by default"

      every time i go to my calendar i have to re-engage the "super-compact view" for the week view...is there a way to make "super-compact" a default view so I dont have to keep on setting it manually?

    • Change work hours per day for employees

      Hello, Is there a way to modify the work hours per day for employees in Zoho projects? This would be helpful for resource allocation to more accurately see when an employee who works 35 hours a week vs 40 hours has a full schedule. Thanks.

    • Zoho CRM Automation Help: Send Email When Fault is Marked as Done & Module Relationships

      Hi everyone, I have the following User-Created Modules in Zoho CRM: Clients Assets Faults Handymen Every client can have multiple assets. Every asset can have multiple faults. Every fault is assigned to one handyman. What I Want to Achieve: ✅ I want to

    • Adding New Domain to Zoho mail

      Hi, I have one Zoho account already called for example "Awesome Animals". Under this account I have one domain already setup with zoho mail, example: - awesomecats.com I have another website as well which I want to add under this "Awesome Animals" account,

    • I cannot receive emails.

      I need help, I've tried everything but I still can't receive emails from other people. I can send it but I can't receive emails, When I created the email it was all in order and suddenly I can't get emails from anyone anymore.

    • Next Page