Incremental Authorization

Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


    • Recent Topics

    • Linking an email to a Contact when the email is sent in deluge via sendmail

      The "to:" address in this code is a CRM Contact. Email address is forced unique in CRM This sendmail gets sent via a workflow which is in a custom module. It works, except that the outbound email does not appear (i.e, get linked to) the Contact such that
    • Introducing Bot Filtering for Accurate Email Campaign Analytics

      Dear Marketers, We're excited to announce a new feature designed to enhance the accuracy of your email campaign analytics: bot filtering. This feature helps you filter out bot-generated opens and clicks, ensuring your campaign reports reflect genuine
    • Edit HTML of forms? Add autocomplete="off"?

      Recently I've noticed that something — one customer suggested it was Chrome — is auto-filling one of my form fields with the customer's address. The field is a textarea that has nothing to do with the address — it's just a comment field. I'd like to be
    • All notes disappeared

      I've been using the notebook app for over five years on my phone without being logged into an account. A few days ago I opened the app and all my notes had disappeared. Since then I tried restarting my phone, updating the app and logging into my account,
    • Function 56: Automatically enable the option for customers to pay via bank account

      Hello everyone and welcome back to our series! One of the key features of Zoho Books is its integration with multiple payment gateways, allowing you to receive online payments for your invoices. This ensures faster payments, automates payment tracking
    • Issues hosting Zoho Desk Web Form on SharePoint and/or Power BI

      Zoho Desk onboarding support has no experience with embedding their web form in either SharePoint or Power BI. Microsoft states that SharePoint and Power BI only support iframe HTML. And unfortunately, the web form embed code that Zoho generates is not
    • Standalone function is not working

      Hi, We have created a standalone function to integrate with a third-party service using OAuth. However, the standalone function's REST API key is expiring automatically after some time. When we regenerate the API key from the admin account, the function
    • Zoho Visual Editor Not Opening

      Hello There I am trying to build a website using zoho and I can't open the visual editor. It keep saying Loading...  Do you know why it is happening. Thanks in Advance Regards Rajat
    • Function went from fine to nonfunctioning without change

      url = "https://www.zohoapis.com/crm/v7/Accounts/" + id + "/Attachments/" + attach_id; file_engage = invokeurl [ url :url type :GET connection:"zoho_attachments" ]; The attach id is grabbed from a file upload field account = zoho.crm.getRecordById("Accounts",id);
    • Can I give access of my Zoho Spreadsheet?

      Hello Everbody! I work with a travel and tourism company, and my job is to record the data of clients of the company. And I use zoho for my work. So my question is can I give access of my sheet to the clients and my company. Kindly guide me. Thankyo
    • Syncing Fields Between Accounts AND Deals

      Please don't email me, I will check this thread for updates daily. I have a custom set of 10 fields (CFSET) in my account pages and deals pages. I want to fill them out on accounts pages per each, then when I make a new deal in an account, I want to copy
    • Domain verification is in progress... (How long do I need to wait?)

      Trying to setup my first email domain by connecting with GoDaddy. Have been here for quite some time and the screen is not changing. How long should this take?Send DataSend Data
    • This mobile number has been marked spam. Please contact support.

      Hi Support, Can you tell me why number was marked as spam. I have having difficult to add my number as you keep requesting i must use it. My number is +63....163 Or is Zoho company excluding Philippines from their services?
    • Unable to send message;Reason:553 Relaying disallowed. Invalid Domain

      Team, When i try to send mail through ZOHO mail i am getting the following error. "Unable to send message;Reason:553 Relaying disallowed. Invalid Domain" Can i get some help on this. Thanks
    • Zoho mail stopped receiving emails

      My Zoho email addresses that are linked to a domain suddenly stopped receiving messages yesterday, even though I've been using Zoho mail without problems for 1,5 years. I receive this reply to test emails: "553 Relaying disallowed". Due to this, my SMTP
    • Email client fails to connect to IMAP & POP EU Servers for ALL users

      For the last couple of days, all users on my account are failing to connect to the Zoho EU mails servers. This is using mobile app on various phones & desktop mail clients on different computers. Everything works fine when using webmail & email is still
    • Zoho Project API search?

      Good day, i would like to search our entire portal for a task using the API. We have over 20k tasks so I dont to search for all tasks and then do a for each as it would take way to long and also would need to go over the limit of 200 records per query.
    • My email client shows no emails anymore

      I let my account expire due to old payment method. I repurchased it I turned back on IMAP Then all my emails disapeared. Everything is fine in the webview and and zoho mail app
    • Invalid Domain

      Team, When i try to send mail through ZOHO mail i am getting the following error. "Unable to send message;Reason:553 Relaying disallowed. Invalid Domain" Can i get some help on this. Thanks
    • URGENT - Issue with outgoing mail

      I am receiving mail but atm can not send - and not being given any code/reason as to why?
    • Impossible d'envoyer un message :Raison :553 Relaying disallowed. Invalid Domain - masertech.ma

      Bonjour, J'ai renouvelé mon abonnement mais j'ai le probleme de domain.
    • Email SPF Hard Fail

      Hi, can you help me to understand why email rejected? Paste error: This is the mail system at host pdx1-sub0-mail-mx206.dreamhost.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.
    • Can I export to PDF in Zoho Learn

      I have seen help pages where export to pdf options are available but I do not see that option available from the application. I see that exprt is available in my free trial version but that is only to html pages. I need to be able to export my manuals
    • COQL equivalent to zoho.crm.getRelatedRecords

      Hello i add a standalone function, that i call from my js app with ZOHO.CRM.CONNECTION.invoke etc in the function i fetch with something like this AllContacts = zoho.crm.getRelatedRecords("relation_name","parent_module_name",recordid); it works great
    • Add option "Avoid custom home pages" to profiles

      We need our sales agents and members on each department in general to keep the same Home designed by their Managers. Let all users to create custom home pages is a huge mistake. The homepage creation must be limited by profile so only Managers are allowed
    • why is zoho assist server so slow

      Hello why is zoho assist server so slow, i use it every and and have fast speed at either end of the connection but zoho assist take upto 10 seconds per click, I connect on the chat they we will have a look and come back saying they have done a reset
    • WHEN UPDATE ORGANIZATION INFO OLD INVOICES ALSO CHANGE INVOICING DATA

      Hi We have updated our tax information because we have become a company, up until now we were an individual. The problem is that when updating the data in the zoho books profile all the old invoices change their tax information as well. Is there a way
    • DELETE EU VAT ID FORM MY ACTUAL INVOICE ADDRESS FROM MY ACCOUNT

      WE NEED TO DELETE (NOT CHANGE) THE EU VAT ID FROM OUR INVOICE ADDRESS. WHEN WE TRY TO LEFT IT BLANNK, AGAIN SAVE THE OLD EU VAT ID. YOU ARE SENDING US FALSE INVOICES WITH FALSE DATA
    • Enable Timesheet for Client Users

      In Zoho Projects, the client users can log work hours in timesheets and track the time spent on tasks and issues. This permission can be enabled only by the portal owner or the admin. For instance, If the administrator wants a client user to add the time
    • Possible to delete the "Big Deal Alert" in Zoho CRM?

      Hi, Is it possible to delete the "Big Deal Alert" in Zoho CRM? My company has no need for it and I want to remove it to clean up my email templates list. Thank you.
    • How to Create and Edit Advances in Zoho Expense Using Deluge?

      Hi everyone, I am working with Zoho Expense and need to manage Advances (Advance Payments) using Deluge. I’ve familiarized myself with some basic functions, but I have specific questions about how to create and edit advance records: Creating Advances:
    • ¿Cómo publicar mi pagina web zoho?

      Arme una pagina web en zoho, al querer publicarla seguí los pasos y pulse en publicar, pero no se publico. Ya pasaron 2 días. podían ayudarme.
    • What's New in Zoho Analytics - December 2024

      Hello Users! We’re excited to bring you a roundup of the latest features and improvements in Zoho Analytics. These updates are designed to elevate your data analytics experience, making it more powerful, interactive, and seamless. Let’s dive in! Expanded
    • Setting default From address when replying to request

      At the moment, if I want to reply to a request, the From field has three options, company@zohosupport.com, support@company.zohosupport.com, and support@company.com.  The first two are really internal address that should never be seen by the customer and
    • Zoho Sheet View

      Hello, Is there a way to either customize the columns that appear in Zoho Sheet View, or else show all columns?
    • For security reasons your account has been blocked as you have exceeded the maximum number of requests per minute that can originate from one account.

      Hello Zoho Even if we open 10-15 windows in still we are getting our accounts locked with error " For security reasons your account has been blocked as you have exceeded the maximum number of requests per minute that can originate from one account. "
    • Sharing sheet without affecting original spreadsheet

      I want to share a sheet using a password unique to the end user who will be able to enter data that will help them make a decision. I don't want or need any changes to show up to original file inside my Zoho account. I will be sharing this sheet over
    • How do you re-order (sort) the order of articles in a chapter?

      So you can re-order Chapters but I cannot see where and how to re-order the Articles within each Chapter... Surely this is possible?
    • Recurring Events Not Appearing in "My Events" and therefore not syncing with Google Apps

      We use the Google Sync functionality for our events, and it appears to have been working fine except: I've created a set of recurring events that I noticed were missing from my Google Apps calendar. Upon further research, it appears this is occurring
    • How do I delete survey responses (Customer Happiness)

      Hi,  I need to remove dummy survey responses (those I created during evaluation period), and invalid ones - responses received from Cancelled tickets - which is a custom status we use to close spam, duplicate, or internal emails. I cannot find anywhere to remove them, and one of your chat agents suggested to remove the response provider (contact).  I'm not inclined to do what was suggested as there could be valid responses from that contact, so kindly provide another option. And I did try that too
    • Next Page