Sample OAuth 2.0

This is a sample OAuth 2.0 process for Zoho invoice

1. Before using OAuth with the application, the application must be registered with the service. This can be done in the developer console of the service ie zoho in this case. While registering one needs to provide the application name, website and a Redirect URI or Callback URL. The redirect URI is where the service will redirect the user after they authorize (or deny) your application, and therefore the part of your application that will handle authorization codes or access tokens.

2. Once the application is registered, the service will issue “client credentials” in the form of a client ID and a client secret.

3. Next step is to generate the authorization grant. To generate the grant the user needs to be redirected to the authorization URL with the necessary parameters.

The auth url is

https://accounts.zoho.com/oauth/v2/auth?

The request will be similar to the one below:

https://accounts.zoho.com/oauth/v2/auth?scope=ZohoInvoice.invoices.CREATE,ZohoInvoice.invoices.READ,ZohoInvoice.invoices.UPDATE,ZohoInvoice.invoices.DELETE&client_id=1000.0SRSZSY37WMZ69405H3TMYI2239V&state=testing&response_type=code&redirect_uri=http://www.zoho.com/invoice&access_type=offline

The scope defines what access the application is requesting from the user. The redirect URI is where the service will redirect the user after they authorize (or deny) your application. This should be the same as the one defined earlier in the developer console.

4. On this request, the user will be shown with a “user consent page”. Upon clicking “Accept”, Zoho will redirect to the given redirect_uri with code and state param. This code value is mandatory to get the access token in the next step and this code is valid for 60 seconds.

On clicking “Deny”, the server returns an error

Zoho OAuth

5. After getting authorization code from the above step,we need to make a POST request to the following URL with given params, to generate the access_token.

The token generation url is:

https://accounts.zoho.com/oauth/v2/token?

The request will be similar to the one below:

https://accounts.zoho.com/oauth/v2/token?code=1000.dd7e47321d48b8a7e312e3d6eb1a9bb8.b6c07ac766ec11da98bf6a261e24dca4&client_id=1000.0SRSZSY37WMZ69405H3TMYI2239V&client_secret=fb0196010f2b70df8db2a173ca2cf59388798abf&redirect_uri=http://www.zoho.com/invoice&grant_type=authorization_code

If the authorization is valid, the server will send a response containing the access token and a refresh token to the application.

6. Now the application is authorized! It may use the token to access the user’s account via the service API, limited to the scope of access, until the token expires or is revoked. The access_token will expire after a particular period. The refresh_token is permanent and will be used to regenerate new access_token, if the current access token is expired. The access token needs to be sent along with every request to the service.

7. To regenerate the access token the application needs to make a request to the following url with the refresh token, client ID, client secret and the redirect URI

https://accounts.zoho.com/oauth/v2/token?

The request will be similar to the one below:

https://accounts.zoho.com/oauth/v2/token?refresh_token=1000.8ecd474019e31d52d2f94aad6c5cb7.4638677ebc14f2f2ee0b6dfb6cebdc&client_id=1000.0SRSZSY37WMZ69405H3TMYI2239V&client_secret=fb0196010f2b70df8db2a173ca2cf59388798abf&redirect_uri=http://www.zoho.com/invoice&grant_type=refresh_token

Tell us about your OAuth projects in the comments below or or join the YellowAnt community. Sign up for YellowAnt here.