OAuth 2.0 User Guide
If you are building a custom application with Zoho account or if you want to make certain modifications to the already existing calendar features depending on your needs, it is mandatory to obtain permission to access the Calendar API. For this reason, OAuth 2.0 authentication is required.
The following steps will help you understand on how to proceed with the OAuth 2.0 authentication process.
1. Register your application : Generate Client ID and Client Secret using Client Name and Client Domain
The primary step towards receiving your OAuth 2.0 authentication is registering your application with Zoho Developer's Console. Once you register yourself, your Client ID and Client secret will be generated.
Steps to generate your client ID and client secret:
1. To register your application, navigate to https://accounts.zoho.com/developerconsole.
2. You will be prompted with a screen that says "You don't have credentials to access the API". Click on the Add Client ID button to proceed further.
3. The Create Zoho Client ID window is opened. Fill in the details shown to you which consists of Client name, Client Domain and Authorized redirect URIs.
4. After filling the required fields, click on Create.
You will be provided with the Client ID and the Client secret which will be known to both Zoho and your application. Using these credentials, you can go ahead with the OAuth 2.0 authentication.
2. Get Authorization: Generate code (expires in 3 to 8 minutes) using client ID
In the next level of authentication, the user needs to call an "Authorization URL". This authorization URL should be defined using certain parameters as mentioned below:
| Parameter | Type | Description |
|---|---|---|
| Required Parameters | ||
| client_id | unique identifier | The ID that was assigned to your app when you registered it. |
| response_type | string | "code” |
| redirect_url | URL | Your callback URL with authorization code and response token. This should be the same link which you used during registration. |
| scope | string | Specifies the scope allowed for your app. Has to be separated by commas. Syntax: Servicename.Scopename.Operation Example: AaaServer.profile.RAD |
| Optional Parameters | ||
| access_type | string | Offline/Online (By default it is taken as Online).The Online access type gives your application only the access token which is valid for one hour.The Offline access type will give the application an access token as well as a refresh token. |
| prompt | string | Prompt = Consent. Prompts for user consent each time your app tries to access user credentials. |
| state | string | A generated value that correlates the callback with its associated authorization request. |
Example:
GET oauth/v2/auth
Host:: https://accounts.zoho.com
Query String
https://accounts.zoho.com/oauth/v2/auth
?response_type=code
&client_id=1000.R2Z0WWOLFVMR287126QED3B4JWQ5EN
&scope=AaaServer.profile.READ%2CAaaServer.profile.UPDATE
&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2FZohoOAuth%2Findex.jsp
&state=-5466400890088961855
After the authorization URL is called by the user, a new page called as the "User Consent Page" is loaded. The user has to either Accept or Decline the authorization process at this stage.
If the user proceeds with Accept, then Zoho redirects the user back to your site with an Authorization code. After receiving the auth_code, the access token can be generated by the application by sending a request to Zoho. In case, the user clicks on Deny, then the server returns an error.
Prompting re-consent:
You can prompt the user to reauthorize your app every time the user logins in by adding the prompt=consent parameter to the authentication request.
When prompt=consent is included, the consent screen is displayed every time the user logs into your app. For this reason, include prompt=consent only when necessary.
Note:
Each time a reconsent page is accepted, a new refresh token is generated. The maximum limit is 20 refresh tokens per user. If this limit is crossed, the first refresh token is automatically deleted to accomodate the latest one. This is done irrespective of whether the first refresh token is in use or not.
3. Get the Access Token : Generate Access Token and Refresh Token using Client ID, Client Secret, Code and Scope
The crucial step towards authentication lies in the generation of access token and refresh token. Once the auth_code is received by the application, the auth_code can be used to request Zoho for generating the required access token. When the user sends a request for the access token, your app will receive the user details. Since this is an important step in the entire process, be careful while setting the parameters for the same.
| Parameter | Type | Description |
|---|---|---|
| Required Parameters | ||
| code | string | Authorization code obtained from the initial request. |
| client_id | unique identifier | The ID that was assigned to your app when you registered it. |
| client_secret | string | Your app's secret that was assigned when you registered your app and available in your profile. |
| grant_type | string | This field must contain a value of authorization code, as defined in the OAuth 2.0 specification. |
| redirect_url | URL | Your callback URL with authorization code and response token. |
| scope | string | Specifies the scope allowed for your app. Has to be separated by commas. |
| Optional Parameters | ||
| state | string | Has to be maintained the same during the entire process for authenticity. |
Example:
POST oauth/v2/auth
Host:: https://accounts.zoho.com
Query String
https://accounts.zoho.com/oauth/v2/token
?code=1000.fadbca4c2be2f08b0ce82a54f6344313.ba532585103af6f12a0f160
&grant_type=authorization_code
&client_id=1000.R2Z0WWOLFVMR287126QED3B4JWQ5EN
&client_secret=39c689de68c712fa5f1f06c3b1319ab98f59fa921b
&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2FZohoOAuth%2F index.js
&scope=AaaServer.profile.READ%2CAaaServer.profile.UPDATE
After the user has made a request using the authorization code, Zoho will issue a response to your app which contains the following information:
expires_in - Time in milliseconds for which the token remains valid.
token_type - Type of token. (”bearer”) access_token
access_token - Access token for this user.This token can be used for the final API calls and will be valid only for one hour.
refresh_token - Refresh token to be used when the access token has timed out. This token is permanent and can be used multiple times (limit - 20) to refresh the app and get a new access token. You can store this data so that there is no need for authorization each time the user accesses your app.
4. Use the Access Token: Access API with the Access Token (Access Token expires in 3600 seconds)
Once you have received the access token, you can use it to obtain access to the calendar API. Send the access token as a header when you call a Zoho service REST API.
Example:
GET oauth/user/info
Query String
HOST: https://accounts.zoho.com/
Header:Authorization= Zoho-oauthtoken
When the access token with the available scope invokes the URL, the information as permitted in the scope is granted to the application. The user credentials are thus obtained and the regular sign-in flow can be implemented.
5. Use the Refresh Token : Regenerate the Access Token (Generate Access Token using Refresh Token)
Access tokens have limited validity. In most cases, the access tokens expire in one hour. Until then, the access token has unlimited usage. Once it expires, your app will have to use the refresh token to request for a new access token.
In your request for access you can request a Refresh Token to be returned along with the access token. The refresh token provides your app access to Zoho APIs even when the user is not logged in. To request a Refresh Token, add access_type=offline to the authentication request.
For sending this request, you need to include the following parameters:
| Parameter | Type | Description |
|---|---|---|
| client_id | unique identifier | The ID that was assigned to your app when you registered it. |
| client_secret | string | Your app's secret which was assigned when you registered your app and available in your profile. |
| grant_type | string | refresh_token |
| redirect_url | URL | Your callback URL. |
| refresh_token | string | The refresh token provided along with the access token. |
Example:
GET oauth/user/info
POST https://accounts.zoho.com/oauth/v2/token
HOST:: https://accounts.zoho.com
Query String:
?refresh_token=1000.4069dacb5684b2df29b60ed6865e889f.fd1f173360871d254bcf902062390367
&grant_type=refresh_token
&client_id=1000.R2Z0WWOLFVMR287126QED3B4JWQ5EN
&client_secret=39c689de68c712fa5f1f06c3b1319ab98f59fa921b
&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2FZohoOAuth%2Findex.jsp
&scope=AaaServer.profile.READ%2CAaaServer.profile.UPDATE
You will now receive an access token using which you can continue to get user credentials. This access token will also have a validity of one hour.