User Authentication

A Service Provider (SP) can check whether a user has verified their account with Zoho.
To see if a user has verified their account

1. Include the scope parameter in the URL to retrieve and verify the user's email address.

https://accounts.zoho.com/oauth/v2/auth?scope=email&client_id=<" Your Client ID">&redirect_uri=<"Your redirect URL">&response_type=code

You will get the following response URL for the above link.

https://iam/?code=1000.7c96113574b7d8db83789676350d7e91.276c83e3d5ec39eb1ec3a40ed4219623&location=us&accounts-server=https%3A%2F%2Faccounts.zoho.com&

2. After the user verifies the link, use the following URL to get the user's id_token.

https://accounts.zoho.com/oauth/v2/token?client_id=<"Your Client ID">response_type=code&redirect_uri=<"Your redirect URL">scope%3Demail%26amp%3Bcode%3D1000.7c96113574b7d8db83789676350d7e91.276c83e3d5ec39eb1ec3a40ed4219623%26amp%3Bgrant_type%3Dauthorization_code%26amp%3Bclient_secret%<"Your Client secret">/

You will get the following response for the above URL

{ "access_token": "1000.8ade8619471ced4155a8b086966d3ef2.ac2ce7a8e8408bf02825c53295f296be", "refresh_token": "1000.aa2550574bc68c2c7f1d5a266bc5ade6.a76355940e7e5a380994b9d6c295e0f5", "expires_in_sec": 3600, "id_token": "eyJrZXlfaWQiOiI1ODZjNjI4NDUyNzMzOTZhZmQyMzg2NWRiNTQyNzJlNSIsInR5cCI6IkpXUyIsImFsZyI6IlJTMjU2In0=.eyJhdF9oYXNoIjoiSEs2RV9QNkRoOFk5M21STnRzREIxUSIsInN1YiI6IjY3NTkyNTYwOSIsImF1ZCI6IjEwMDAueTBsc3MzMmdtam52NzIzOTA5MDduNGtkdnFheGZpIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF6cCI6IjEwMDAueTBsc3MzMmdtam52NzIzOTA5MDduNGtkdnFheGZpIiwiaXNzIjoiYWNjb3VudHMuem9oby5jb20iLCJleHAiOjE1MzkwMTEwODEsImlhdCI6MTUzOTAwODIwMSwiZW1haWwiOiJkaGl2eWEubXNAem9ob2NvcnAuY29tIn0=.YjVi2SDP8+BGixmG5MFeViRWj84klXdT67u7YzjMxzBmxr3+ugJUX204LPpk5VdB1jaWuJVq4yIhvQSTJvBKLFyCXf89JGGm/oGLXSiz4/hFDGB52jiT+5Jd2TvNZbmWypn7Ms+zUbTmWy0zuOhVVMZdZEMibNqTQIBpIeQeN3PqYnSqUTahQu0NBMjkoabUmxtfDAuHCt5tim4IMW/2bnan0UCo4AfuGwMIf1Ff3MIba+EffSqIyi5fEDTKefoUpN7O1AxQevEK/aY2r/APWU5L/K9pcG8wg52zxHFyuOfRllHW7CUORZ4abhvI7WqpJVkpE9rO7UOY53uRYLsW4A==", "api_domain": "https://www.zohoapis.com%26quot%3B%2C/ "token_type": "Bearer", "expires_in": 3600000 }

The id_token has three sections in the a.b.c format. The b section holds the user's account information which is encrypted with a base 64 algorithm.

To decrypt the values, use the below code. If the email_verified is true, the user has verified their account with Zoho.

String data=;String[] subdata = data.split(Pattern.quote("."));byte[] test1 = CodecUtil.BASE64_DECODE(subdata[1]);out.println(new String(test1, "UTF-8")+"

");

A sample output is mentioned below.

{"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q","sub":"675925609","aud":"1000.y0lss32gmjnv72390907n4kdvqaxfi","email_verified":true,"azp":"1000.y0lss32gmjnv72390907n4kdvqaxfi","iss":"accounts.zoho.com","exp":1539011081,"iat":1539008201,"email":"john.ms@zohocorp.com"}