I am developing against DocuSign's docusign-esign-java 2.8 SDK and am encountering an error attempting to create an Envelope using the EnvelopesApi.
Here's the specific error I am hitting:
com.docusign.esign.client.ApiException: Error while requesting server, received a non successful HTTP code 400 with response Body: '{
"errorCode": "USER_LACKS_PERMISSIONS",
"message": "This user lacks sufficient permissions to access this resource."
}'
at com.docusign.esign.client.ApiClient.invokeAPI(ApiClient.java:1036) ~[docusign-esign-java-2.8.0.jar:na]
at com.docusign.esign.api.EnvelopesApi.createEnvelope(EnvelopesApi.java:702) ~[docusign-esign-java-2.8.0.jar:na]
at com.docusign.esign.api.EnvelopesApi.createEnvelope(EnvelopesApi.java:652) ~[docusign-esign-java-2.8.0.jar:na]
The client went through DocuSign OAuth Code Flow and granted our Application scope=signature+extended.
Does anyone have any ideas or suggestions on what I could look into?
I feel like this is somehow a DocuSign account configuration issue more than a code issue or an OAuth authorization issue, but I'm not sure where to look.
This can happen because:
There's a mismatch between the accountId in the URL that you are making API calls for (you pass accountId to the API call from the Java SDK) to the account that you used to authenticate (which may be different) when you implemented OAuth.
There's a mismatch between developer and production env. Make sure you use the same env for both authentication and API Call.
The user you authenticated with actually don't have permission to create envelopes. Some users cannot do that.
Account has an option to only allow creation of envelopes from templates.
I would try a new developer account and make sure that you are using the correct account in both the authentication piece and the API calls.
Related
I am try to approve the prividedge identity management (PIM) request through graph api but when i try to approve it the api is return forbidden. See the below screenshots
The pending request should be approved.
First, I want to know what API permission you consented for using this graph API, because to be honest, I didn't find this graph API, I only found this document which contained the API request you used.
According to the error message, I'm afraid you gave the wrong api permission or you used client credential flow to generate the access token to call the API. So it's better to provide the request you used to generate access token.
Finally, I found an answer here which successfully call the API but with Powershell script. According to this sample, we should give PrivilegedAccess.Read.AzureAD,RoleAssignmentSchedule.ReadWrite.Directory,PrivilegedAccess.ReadWrite.AzureAD delegated API permission and use it to generate access token. We need to use auth code flow/ROPC flow so that the token generated should contain scp claim with API permissions as value. Then using that token to call the API.
You may try request below to generate the access token for a test:
POST https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=azure_ad_app_id_consented_api_permission
&scope=PrivilegedAccess.Read.AzureAD RoleAssignmentSchedule.ReadWrite.Directory PrivilegedAccess.ReadWrite.AzureAD
&username=user_name_better_to_use_account_with_Global_Administrator_role
&password=password
&grant_type=password
I created an Api in azure and recently tried to change to authentication method to access it via OAuth2.
I requested a token using https://login.microsoftonline.com/[TENANT]/oauth2/v2.0/token/ and tried to use it to access my api via postman.
Then I tried to use the received token to make a request to my api:
I used Postman's Authorization pane to specify OAuth2.0 as the authentication method and set the Grant Type configuration to "implicit" and sent a request.
Configured like this, the request goes through using the "http" version of my api but as soon as I try to use the "https" version, I get a 401 error "Unauthorized".
Have I configured my api wrong ? Or am I using the wrong url to authenticate ?
Thanks a lot for your time.
After a lot of research I found out what was wrong :
I had to add the application ID in the allowed token audiences of identity provider (in the azure app service, navigate to authentication > locate the identity provider > click on edit > at the bottom of the page add the your app registration's application ID. For good measure I also added api://[APPLICATION ID]/.default and api://[APPLICATION ID]
There was still some authentication code left in the source code of my api. When I was trying to connect I sometime had a response which consisted of HTML titled "Sign in to your account". It was caused by a segment of code in the startup.cs file of my api which verified the user who made the request against my Azure AAD. After removing it I no longer had the error
You would think this would be simple, but I'm just trying to call this API:
https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0&tabs=http
I'm trying to call it with an access token from a bot registered on Azure.
Where/how do I get the access token?
Should I be able to call this API with client credentials?
https://login.microsoftonline.com/common/oauth2/v2.0/token
Based on the API reference that you are trying to call, Application permission is not supported which means this API can't be called via OAuth 2.0 client credentials flow.
As you can see only Delegated permission is supported and accounts here must be work or school accounts, so if you want to call this API in your bot code directly, you can try password flow to get an access_token with delegated permission.
If you need more assistance, pls let me know.
If you're just trying to post to a channel, there are some other options altogether:
Posting using webhooks
If you have a bot already, and it's registered (added) to the Team, you can look into proactive messaging
They'll both achieve the goal, but it depends on who you want the message to appear to be from (e.g. must it look like it came from the user? from the bot? doesn't matter?)
I'm trying to execute a REST API call in SharePoint Online. For this, I wanted to see if I can register an app in Azure AD. I believe I was able to do so and I'm able to get back a token. However, upon executing the GET request Postman always throws {"error_description":"Invalid issuer or signature."}in the body of the response.
Here're the screenshots detailing everything:
Don't mind the Postman variable {{TenantID}}. That's not the issue, I also tried with the writte-out tenant ID - doesn't make a difference.
So what I was unsure about at first was the 'Scope' parameter in the "GET NEW ACCESS TOKEN" in Postman. I tried various scopes, for example
'Sites.FullControl.All' or 'https://microsoft.sharepoint-df.com/.default'. But that didn't change the outcome. Still, is the scope I set correct for SharePoint REST API? I know that for the Microsoft Graph 'https://graph.microsoft.com/.default' works.
I also tried different app permissions, not just
'Sites.FullControl.All'
Do you have any idea what the cause of the error might be?
Thanks.
The sharepoint permission Sites.FullControl.All is of type Application.
For this type of permission you MUST use the client_credential flow.
The Client Credentials grant is used when applications request an
access token to access their own resources, not on behalf of a user.
Try to call the auth url with:
grant_type=client_credentials
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx
Otherwise if you want to access the Sharepoint on behalf of the user change the permission type to delegated
I am using Docusign Login information api in a mapping with Informatica Cloud .
The mapping executes successfully with a fault response.The error message in the fault response is as follows.I have tested the same api in postman.I am using Integrator Key provided by Docusign for authentication along with my username and password.The API works perfect in postman.But with Informtica Cloud it gives me following error.
I have created swagger file with username,Password and integrator key as headers for creating the web service in Informatica Cloud.I am using Authentication type as 'Basic' in the connector and in swagger file.Where I am I going wrong with authentication?The Integrator Key or the username and password are valid.
Unauthorized {
"errorCode": "AUTHORIZATION_INVALID_TOKEN",
"message": "The access token provided is expired, revoked or malformed."
}
This question/answer from the Informatica site may be of help.
If the Informatica Cloud connector enables you to pass an X-DocuSign-Authentication header then you can use DocuSign's Legacy authentication.
If not, then you will need to send an Authorization header with value Bearer a_bearer_token
From the Informatica QA, it looks like you will need to create a small application that will use the JWT Grant to create an Access Token, and then return the Access Token to Informatica.
Next, use the Access Token via Informatica to use DocuSign's API.
I'm sure that Informatica Cloud's consultants have come across this issue before, you could also contact them for help.
DocuSign doesn't support Basic Authentication for API calls.
I'm not familiar with Informatica Cloud, are you able to define a custom header so you can properly provide the x-docusign-authentication data block?