We are currently using basic authentication for our DocuSign apps. Our application requires no human interaction for envelope creation. Backend code does a basic authentication and creates the envelopes.
We want to move to oAuth 2.0. I went through DocuSign's web site and read about different kind of OAuth grant flows.
I downloaded there quickstart code (Authentication grant code flow) but it did not work for me as I was always getting HTTP error 404 at the time of redirection. It seems, for our system integration JWT grant flow should work, but again it has a consent form, which requires someone to approve.
Can someone help me with sample code on oAuth 2.0 with System integration?
You can use administrative consent for JWT which means that the organization need only consent once and the app can then be used by all users. No one will need to log in to DocuSign to use your integration.
I would like to help with the issues you had with quickstart, but not sure what language you tried.
Download a fresh Java Quickstart from https://developers.docusign.com/docs/esign-rest-api/quickstart/
Run Java Quickstart in command line per these instructions: https://developers.docusign.com/docs/esign-rest-api/quickstart/overview/#configuration > Java tab > Building and running Quickstart
Get JWT consent for app: Login > Dropdown: JSON Web Token Grant > Authenticate with DocuSign > Log In > Allow Access
Extract ds-java-auth-final.zip located at https://github.com/docusign/code-examples-java/blob/master/docs/ds-java-auth-final.zip
Fill in ds-java-auth-final/src/main/java/test.newOAuth/Config.java with your client-id and impersonated-user-guid from your Quickstart_folder/src/main/resources/application.json
Fill in your API account ID from the Apps and Keys page https://admindemo.docusign.com/authenticate?goTo=apiIntegratorKey
Fill in the ds-java-auth-final/privateKey.txt file with your private key from Quickstart_folder/src/main/resources/private.key
Right click on ds-java-auth-final folder and Open Folder as IntelliJ IDEA Project
In Project window, navigate to ds-java-auth-final/src/main/java/test.newOAuth/DsNewAuth
After building, right click and Run 'DsNewAuth.main()'
Please let me know if you have any questions
Related
I'm working on a project that's trying to include microsoft sign in, in order to use information about the person that signed in.
I'm doing this as a node js app that's run from my local machine, and there is no webpage / web server involved.
Mainly wondering if it's possible to sign in with a microsoft account without having to use a browser, or getting a URL link to sign in with, and then a way for me to get the access token without needing a redirect link back to a page.
It sounds like device code flow might meet your requirements.
Documentation for device code flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
MSAL Node sample showing device code flow: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/standalone-samples
There is also username/password flow, but that is not recommended, and MSAL Node does not support it yet. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
I need to get access at the sheets and I am following this guide to start to do that https://developers.google.com/sheets/api/quickstart/nodejs
But the button that enables google APIs doesn't work, all names I put on the project return an error.
I went on the API console and created a new project but I do not know how to get credentials files (if they are needed) and then I must create an URL for the OAuth page?
How to get OAuth crendetials manually
There different types of crendetials and the procedure to obtain them is slightly different depending on your situation.See here for the different scenarios.
In most cases (an exception is when using a service account), the first step is to set up an OAuth consent screen.
The consent screen is the screen your users see when they are prompted to agree to terms that are presented to them by your application
To set up a OAuth consent screen, go after chosing a project from the GCP console on APIs & services -> OAuth consent screen
You need to chose either your application is supposed to accessible only by domain internal users or also external (in the latter case you might need to submit your application for verification by Google, pontentially involving costs - depending on the scopes you use).
You need to provide an application name that your users will see (the logo is optional)
You need to specify which scopes your app will use
You can specify other properties, e.g. the Authorized domains (this is usually your website from which the users will be redirected to the consent screen when performaing some kind of action)
If you are not sure about the optional properties, leave them out for the start
Once you set up the authentication screen, the second step is to go on APIs & services -> Credentials
Read the Authentication overview to decide which credentials you need
For most applications you will want an OAuth client ID
The diffrent Application types are described here, to start with create a Web Application
Authorized JavaScript origins and Authorized redirect URIs is basically your Webpage from which the users will be redirected to authenticate and to which they should be redirected after authentication.
For local testing you do not need to specify those URLs
Once you create the OAuth2 client successfully, you will obtain the Client ID and Client Secret - your crendetials to incorporate into your code when using Google APIs.
If you click on the download button on the right side of your newly created credentials - it will generate a json file on your local machine from which the credentials will be read automatically if you follow the quickstart.
Alternatively you can paste the credentials directly into your code - see here for sample for different situations
I have a nodejs webapp with many users with a custom login process. I would like gitlab to accept that authentication and not force users to create a new app. What is the best way to accomplish this?
I would go for OAuth 2.0 Single Sign On (SSO). Below you can find the architecture diagram taken from here. As you can see the client is redirected to log in in the OAuth2 provider to get a valid token for authentication. The OAuth2 server must be configured for the application requesting access including the secret, the client id and the callback URL.
You can configure GitLab CE to sign in with almost any OAuth2 provider. Only be careful with the limitations:
It can only be used for Single Sign on, and will not provide any other access granted by any OAuth provider (importing projects or users, etc)
It only supports the Authorization Grant flow (most common for client-server applications, like GitLab)
It is not able to fetch user information from more than one URL
It has not been tested with user information formats other than JSON
You also need to configure your node js web application as an OAuth2 server. There are npm availables with the source code here.
Recommendation
I would install some open source Identity Management to separate the user management from your webapp, provides better integration with other third parties and forget about encryption and other stuff you need to take care in your webapp. There are multiple options such as KeyCloak for instance.
You have to define a dedicated user , and use the private_token of this user to login for ALL users that will use your application.
The restricition would imply all users will have the same rights ....
The other solution is to use the Private Token of the user at login. In this case , only the rights of these particular users will be used.
I have a web api, using azure ad oauth authentication. I want my associates´ web sites to be able to use this api to display content on their public website. To clearify: No user should be needing consenting/grant anything and they are anonymous.
I have used this guide to set up my web api and this code ("Web Application to Web API"->WebApp-WebAPI-OAuth2-AppIdentity-DotNet-code) for my demo client.
The default scope/permission was assigned to client app in azure portal, like so
The actual problem I trying to solve is my different associates webpages should have different permissions. I was hoping to create different scopes and assign different associates client apps with different scopes and I could check if they for example has update_customer_x-scope.
All this "seems" to work ok. I get my authentication token and I am able to get content from the web api. BUT I dont get any scopes at all. Reading the first guide(web api) I see that you should be able to get the default scope by using the code:
if (ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/scope").Value == "user_impersonation")
{/*you have the default scope*/}
But I dont find anything here, and no scopes at all. Any clues?
This is the content of the JWT-token, as requested
The TodoListController.cs from WebApp-WebAPI-OAuth2-AppIdentity-DotNet just use the client credentials flow as astaykov commented for retrieving the access token without user interaction, at this time, if you decode your code via https://jwt.io/, you would not find the scp property.
For your requirement, you need to follow WebApp-WebAPI-OpenIDConnect-DotNet for calling a web API with the signed-in user's permissions.
I would like to build a very simple Angular 4 app with a WepApi Service as backend.
I would also like to have users register with my app (the basic "create user" - "validate email" - "log in" workflow).
The user/passwords should be stored with my own app (SQL database).
Where would I go for this very basic information? I am highly frustrated with all the "look it's so easy, you can use ANY social media account! Facebook, Twitter, Google, Microsoft! Just three clicks and all is super-secure with OAuth" talk.
Please point me in the right direction - finding this very basic information seems impossible to me.
what i have done is :
Step 1 : call facebook auth from client it returns me id,
profile etc,
Step 2 : then I send fb id to the server (deployed on azure), where it
checks if this fb id already exists in database it redirects to login,
otherwise it creates a new user
you can also authenticate fb token on server side also for more security.
for login with facebook scenario this question might help you.
I would recommend you to use Azure App Service along with Easy Authentication as it allows you to configure your app along with Facebook/Twitter/Google/MSA.
For Starters see this:
How authentication works in App Service
How authorization works in App Service
The following tutorials show how to configure App Service to use different authentication providers:
How to configure your app to use Azure Active Directory login
How to configure your app to use Facebook login
How to configure your app to use Google login
How to configure your app to use Microsoft Account login
How to configure your app to use Twitter login
The above steps do not require you to write any code. However if you need to authorize then you need to handle that in your application.
The above should get you started. Also see this thread where I shared insights on how you can query Facebook: Correct Facebook Graph Api Video Insitghts Request PHP SDK
I also have a blogpost on this here:
Azure App Service: Using Easy Auth to query Facebook information via Graph API