Incremental Authorization

Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:

• Users are not overloaded with scopes in the initial stage
• Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.

If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 

When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST  {accounts-url}/oauth/v2/token/scopeenhance ?grant_type=update_scopes_token &client_id={client_id} &client_secret={client_secret} &refresh_token={refresh_token}

The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.

Request Parameters 

You should send the initiation request with the below parameters. All parameters are mandatory

• grant_type: Specify the value as "update_scopes_token".
• client_id: Specify the client-id obtained from the API console.
• client_secret: Specify client-secret obtained from the API console.
• refresh_token: Specify the refresh token to which the additional scopes should be appended.

You will receive a response in the below format

{ "access_token": "{scope_enhancement_token}", "token_type": "update_scope", "expires_in": 600 }

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.

Request format

GET {accounts-url}/oauth/v2/token/addextrascope ?response_type=update_scopes &client_id={client_id} &redirect_uri={redirect_uri} &scope={required_scopes} &enhance_token={scope_enhancement_token} &logout=true

Parameters

• response_type: Specify the value as "update_scopes".
• client_id: Specify the client-id obtained from the API console.
• redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
• scope: Specify the scopes of the additional resources for which access is required.
• enhance_token: Scope enhancement token received in the response of the previous initiation request. 
• logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.

When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.

The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response

{redirect_uri}?status=success&scope_enhanced=true

Failure Response

{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!

If you have any questions, let us know in the comment section.

Cheers!

Previous Kaizen: Kaizen #167 - Configuration and Initialization of Zoho CRM Python SDK (V7) for different client types |

Kaizen Collection: Directory | Help document link: Incremental Authorization

• Topic Participants

• Mable Mary M P

  

• Sticky Posts

• Client Script | Update - Introducing Commands in Client Script!

  Have you ever wished you could trigger Client Script from contexts other than just the supported pages and events? Have you ever wanted to leverage the advantage of Client Script at your finger tip? Discover the power of Client Script - Commands! Commands

• Kaizen #165 : How to call Zoho CRM APIs using Client Script

  Welcome back to another exciting Client Script post! In this post, we will discuss one of the most frequently asked questions: How do you call Zoho CRM APIs from Client Scripts? In this kaizen post, 1. Ways to make calls to Zoho CRM APIs using Client

• Kaizen#162 : Add Tags and Open Pre-filled Email Drafts via Client Scripts

  Hello everyone! Welcome to another informative Kaizen post. In this post, let us see how to accomplish the following using Client Script. 1. How to auto-tag a record based on field update? 2. How to Open a pre-filled email draft This post will provide

• Extension Pointers - JS SDK series #4: Managing data from a widget using ZOHO.CRM.HTTP

  Handling and managing the data between two applications is a major factor for an efficient business. There are a variety of ways to handle data between Zoho CRM and other third-party applications. You can use deluge CRM tasks, create connectors, use API

• Kaizen #152 - Client Script Support for the new Canvas Record Forms

  Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved

• Recent Topics

• Self Client Authorization Issue

  Hi. Trying to test the api integration for Zoho Desk with the Self Client - Client Credintials flow method. I've created the self client, obtained the client id and secret, inputted "Desk.tickets.ALL" as my scope, and "ZohoDesk.[My Zoho Desk Org ID]"

• How Can I Easily Access and Manage My GEPCO Online Bill Using Zoho Sheets?

  Hello everyone, I'm looking for an efficient way to access and manage my GEPCO online bills. I've heard that Zoho Sheets can be a powerful tool for organizing and tracking bills, but I'm not sure how to set it up for this specific purpose. Does anyone

• All notes disappeared

  I've been using the notebook app for over five years on my phone without being logged into an account. A few days ago I opened the app and all my notes had disappeared. Since then I tried restarting my phone, updating the app and logging into my account,

• How to add tags to a record with jS SDK 1.2/ZohoEmbededAppSDK

  Hello Is it possible to add tags to a record with jS SDK : https://live.zwidgets.com/js-sdk/1.2/ZohoEmbededAppSDK.min.js ZOHO.CRM.API.updateRecord Thanks for insights

• URGENT: Zoho Forms reCAPTCHA v2 Spam Issue

  Hello Everyone, We are encountering a critical issue with Zoho Forms despite having reCAPTCHA v2 enabled. Our business is accessibility-focused, and we are receiving a high volume of spam submissions, which is significantly affecting our workflow and

• View all Products by pipeline deal

  Very good CRM I use it everyday only problem is modules not being interconnected especially products module. The main problem of products module are separated from contacts and company modules and only being connected to the Deals module. This way there's

• Add "Lead Image" in Bulk?

  Each of our Leads is accompanied with a URL containing a photo of the lead when they come in. We currently have to manually download then upload the photo to the lead. This is a HUGE waste of time. Is there any way to AUTOMATICALLY add the photos to the

• Map fields from CRM record to Finance Suite/Books Invoice fields

  I'm trying to auto-fill unique record specific field inputs that I have in my Contacts and Deals modules onto Invoices created from the record's finance suite related list upon creation.  One example is a field called "Job Number" that I have in my Contact

• What's New in Zoho Analytics - December 2024

  Hello Users! We’re excited to bring you a roundup of the latest features and improvements in Zoho Analytics. These updates are designed to elevate your data analytics experience, making it more powerful, interactive, and seamless. Let’s dive in! Expanded

• trying to access CRM Variables with JS SDK

  Hello i built a widget with Sigma, i create CRM VARIABLES in custom properties. I try to access them in function : ZOHO.embeddedApp.on("PageLoad",function(data) with : ZOHO.CRM.CONFIG.getVariable("mycrmvariable").then(function(data){ console.log("mycrmvariable

• Writing on sketch cards is bugged when zoomed in

  When zoomed in, it writes a noticeable distance above or to the side of where you're actually trying to write. The further you're zoomed in, the more noticeable it is. Zooming is also entirely absent on the desktop version.

• Private Project

  Hi, I would like to know if a user can create a Private project that only he's able to see it. Not even the ADMIN user. Thanks

• Accordion in tabs to create FAQs, etc.

  Accordion elements do not seem to be able to be placed in the tabs. It would be useful to be able to do this. Thank you.

• Which are the IP addresses to use for 'split delivery' with Office 365? (Zoho mail inbound gateway)

  Hi, I'm trying to set up 'split delivery' (email routing) with Office 365. I'm following the instructions to set up Office 365 as the primary server (https://www.zoho.com/mail/help/adminconsole/coexistence-with-office365.html) One of the prerequisites

• Zoho Projects 2024 Recap

  Dear Users, As we conclude another remarkable year, it's the time to reflect on the journey we've just completed. The year 2024, defined by significant milestones, challenges, achievements, and important lessons. Every moment has contributed to the story

• Custom Fields at Line Level

  Hi, is there an ability to add custom fields at line level? I need to track the start and the end date for each product within an invoice and I can't seem to find an option to do this.

• Zoho API Error Code 7019 when adding job.

  Hello, I am following the documentation found here. https://www.zoho.com/people/api/timesheet/adding-jobs.html Regardless of how I try and post the data (including just using the example requests), I receive back the response {'response': {'message':

• How to see changes with ZOHO.CRM.API.updateRecord(config) without reload page

  hello got a widget in account, trigger with a button i copy data to account when click on a button, in my popup All is working well. But i need to reload the page to see the update. How can i see the changes without reloading page, only when close the

• How to call a Creator function which is in a different Creator application?

  How to call a Creator function which is in a different Creator application?

• Unable to send message; Reason: 554 5.1.8 Email Outgoing Blocked

  My account is mino@flawless-frames.com, or flawlessframesstudio@gmail.com Could you please unblock my account, I've got restricted from sending more emails

• Stock Count

  The stock count is a nice new feature, but we cannot figure out how to: 1. Use it without assigning to a person, we have a team or one of multiple do stock counts as do most any company. 2. Add any extra fields to what the "counter" sees. The most important

• Move a Contact from Current Account to a NEW Account

  I do not believe the functionality to Move a Contact from a Current Account to a New Account is not available. Please someone tell me I am missing something! I have been through designing, developing, using and selling CRM systems for over 25 years and had this functionality20+ years ago in other CRMs.  In the real world people move from one organisation to another. In the sales, finance and technical world it is nice to see the communication history with that person in their old account and also

• Force Specific Layout for CRM Contacts Portal

  Hello: We're in trial on ZOHO One and looking at the CRM Portal (just for the contacts module). We have a client layout set up for Contacts that is working well for our internally, but for the portal we don't want to require (make mandatory) some of the

• Automatic Removal of Departments and Groups for Inactive Employees in Zoho One

  Hi Zoho One Team, We hope you're doing well. Currently, when an employee is marked as inactive in Zoho One, they remain listed as a member of their department and associated groups. This creates a challenge in maintaining accurate records and ensuring

• Change eMail Template for Event-Invitations

  Hello ZOHO-CRM Team How I can change the eMail Template for Event-Invitations? I work with the German Version of the Free Version. I know how I can modify eMail alerts or Signature Templates, but where I can other eMails modify you send out? Thank you for your answer. Regards, Juerg

• Zoho Social integration with Zoho Flow

  Is there any plans for Zoho Social integration with Zoho Flow?

• Zoho CRM Widget and translations

  Hi everyone! We're building a Widget with zoho-extension-toolkit, how is localization supposed to work? "zet init" created a translations/en.json file, but what should go inside it and how is it supposed to be accessed from the Widget/javascript? Thanks

• Bienvenue à Zoho FSM : l'optimisation des opérations locales qui offre une expérience de service impeccable

  Nous sommes ravis de vous présenter Zoho FSM, la plateforme de gestion des services terrain de bout en bout. Les solutions de gestion des services locaux s'adressent aux organisations qui effectuent des activités d'installation, de réparation et de maintenance

• Adding tag to specific record as an acion in a workflow

  Hi! I've created the following workflow in the module 'Leads'. When a record meets the criteria, there should be a tag added to the specific record in the module 'Contacts'. In the module 'Leads', there is a look-up field named 'Kandidaat' which is connected

• Trying to catch error with ZOHO.CRM.HTTP.get (Response Code)

  Hello, I'm trying to get response header from ZOHO.CRM.HTTP.get, in order to catch error like 404 or something else but it seems that ZOHO.CRM.HTTP.get() method only returns the body of the response, and I see no way to access the headers returned. Is

• FSM - How to ADD PHOTOS to Estimates & Invoices

  How can you add photos to estimates and invoices that are being emailed to the client so the can see what you are estimating and your completed work?

• Free developer edition of Zoho CRM

  A question for Zoho and other developers: How can you set up a demonstration version of a Zoho CRM implementation to show employers/clients what can be achieved? Do you pay for Zoho CRM Enterprise/Zoho One for this purpose? Does Zoho offer a free version

• Can I add Conditional merge tags on my Templates?

  Hi I was wondering if I can use Conditional Mail Merge tags inside my Email templates/Quotes etc within the CRM? In spanish and in our business we use gender and academic degree salutations , ie: Dr., Dra., Sr., Srta., so the beginning of an email / letter

• Where are scheduled emails stored?

  After you schedule an email to go out through the CRM, how do you go about changing that scheduled email? Or even where can I see the list of emails scheduled to go out? They are not listed in my Zoho Mail account in Outbox which has been the only answer

• CRM Home Page Dashboard, how can i add zoho desk cases?

  How can i see which tickets are in my group as a dashboard component on the home tab in zoho crm? I don't see any way of adding this.

• Custom Module missing SDK function fetchRelatedRecords(...) in a Client Script

  Good day, We have added a new module with a Multi-Lookup relation to Contacts.  When we tried to use the fetchRelatedRecords(id, related_list_api_name) function to get Related Records it is missing for our new custom module. https://js.zohocdn.com/crm/5124797/documentation/DotSDK/Modules.html

• Assistance with Setting Default Values for Zoho Chat Custom Fields

  I am currently using the Zoho Chat JavaScript API to successfully add custom fields to the chat interface. While the implementation of these fields has been smooth, I am now looking to set default values for these custom fields. However, I couldn't find

• Subform Client Script

  Good day,  I have a subform where users can subscribe to various magazines. I would like to prevent the user from selecting the same magazine twice when adding a new row. Is there a way to prevent the user from doing this? (Can it be done via a client

• Serious question: Are there actually "solo-preneurs"/small business owners who made Zoho-one work well for them?

  L.S. After already many years of continued struggle with Zoho-One, I am seriously wondering if there are actually solo-preneurs (one person small business owners - without a large, dedicated IT dept.) who got it (Zoho-One) to work well for their businesses.

• Calendar Bookings in Recruit

  Hi there, We have recently started using Zoho recruit and although it has some great functionality there are a few gaps that are causing real headaches. One of those being how interviews are scheduled. The majority of our hiring managers are field based

• Next Page