I'm trying to access DocuSign account and app.
How to pass to docusign login without client_id, once login successful it will ask for app and send Integration Keys with Secret Keys of that app in callback?
Step1- User redirect to DocuSign login page with url somethings like this
Response.Redirect(WebUtilities.AddQueryString(Options.AuthorizationEndpoint, new Dictionary<string, string>{
{ "scope", "signature extended" },
{ "response_type", "code" },
{ "state", stateString },
{ "redirect_uri", Options.AppUrl + Options.CallbackPath.ToString() } })
);
and after successful login.
Step2. User should have screen with apps which are in setting and from there after selected any app, it will send Integration key/ Secret key of selected app to call back url. By which I want make calls are per my requirements.
Basic point is user from my web site click on docsign link- it will redirect to login of DocuSign - user will select app on successful login - select app which user want - After selection it will redirect to callback with with IntegrationKey and Secret key.
Hope I am clear now.
Unfortunately your question is not clear. Maybe you can edit it.
To make an API call to DocuSign, you need an access_token. Your application obtains an access_token by using an OAuth authentication flow such as Authorization Code grant or JWT grant.
To receive a webhook notification from DocuSign, you set up your Connect/webhook subscription by using the eSignature Administration tool. You do not need a client_id for this action.
Added
The OP has added to their question:
Basic point is user from my web site click on docsign link- it will redirect to login of DocuSign - user will select app on successful login - select app which user want - After selection it will redirect to callback with with IntegrationKey and Secret key.
I think the question is about authenticating an application's user with DocuSign, then returning to the application.
Answer
The OAuth security standards for the Authorization Code grant require that the user login via the OAuth service provider. In this case account.docusign.com or account-d.docusign.com.
There are two ways to do this:
The application redirects the user's browser to the OAuth service provider. After the first step in the Authorization Code grant flow, the user will be redirected back to the application. The application then makes the call to exchange the authorization code for an access token. The app needs a way to recover its state when the user is redirected back to it. There are several ways to do this.
The application can open a new browser tab to the OAuth service provider. The application continues to run in its original browser tab. The app can programmatically close the tab that it created once the user is authenticated.
Once your app has an access token for DocuSign, it can make API calls to DocuSign. Generally speaking, apps should make API calls to DocuSign on behalf of the user. It is less common for apps to show the DocuSign application to users.
The exception is the DocuSign Signing Ceremony, used for actually signing a document. But signers rarely have a login to DocuSign--they don't need a login to sign.
If you're going to show the DocuSign signing ceremony to your application's users then your application will usually obtain an access token for a system user such as "finance#example.com" (via OAuth JWT impersonation grant) not for the signer since the signer does not have a DocuSign login.
Related
I am trying to integrate Docusign within my web app where users will be able to generate the documents to sign with some information from the web app integrated into Docusign document.
For JWT or Auth Code Grant workflows, Docusign needs the user to sign in to Docusign account to be able to generate an access token.
Now each user cannot really sign into Docusign to generate a document. What's he best way to create Docusign envelops without the end user logging into Docusign account?
If your app's users have DocuSign user accounts, then use Authorization Code grant flow: the user authenticates with DocuSign and then your app uses the user's access_token.
If your app's users do not have DocuSign user accounts (eg the users are your end customers), then:
Create a "system user" in your DocuSign account such as "finance#yourcompany.com"
Authenticate to DocuSign as the system user and grant consent to the application. See this blog post for more.
The above steps are one time only!
Then, when your app is used in production:
When a user starts to use your application, your application uses the JWT grant flow to impersonate the system user.
Via the JWT grant flow, your app now has an access_token that it can use with the DocuSign APIs. Your app can use the access_token to create an envelope, then create a recipient view (embedded signing ceremony)
The app's user can sign via the embedded signing ceremony.
Remember to cache the access_token for the system user. Continue to re-use the access_token until it is about to expire.
See this SO answer for info on caching the access_token
How can I login a demo user with azure B2C through a API without using username and password?
I like to give visitors access to a demo account without having to sign up.
Basically my first idea is to provide a azure function or app service which returns a valid user token and/or forwards user to the app with the signed in guest user.
My app uses azure b2c oauth taking the token from url after redirect back to the app, thus it should be easy to provide the token from a second source.
I thought it should be possible to generate a valid user token through a API? Thus the API itself runs under a service user, having the right to generate the token (eg. impersonation).
What's the right approach / B2C APIs to generate this token?
There is no API to access the /authorize or /token endpoint.
Why not just create a dummy user and give people the name and password?
Or a page that kicks off the resource owner password flow with canned credentials.
I have 3 applications, one is desktop application and this is my client, second is my Web Api to secure and the last one is api which checks if the user with password exists.
In my case I want to connect this flow with Azure AD.
I think this should work like this:
1.DesktopApplication sending request with clientid,clientsecret, username and password to AZURE
2.Azure sending request with username and password to my api where I can check this user exist if exist I will return "true"(or somthing like this)
3. If api return "true" Azure can return to DesktopApplication token
4. DoesktopApplication will send request ot secure Web Api with token
5.DesktopApplication recive content from secure Web Api
Api in 3 point is not same api in 5 point.
Is it posible to do this flow with Azure AD or not? And if not can I do something with my flow something to secure Web Api by Azure and still store users in my old db(oracle)?
It would be better to use OpenID Connect authentication flows to authenticate the user and acquire a token that way.
The approach you are suggesting has a few downsides:
You are storing a client secret in a desktop application, which can be easily extracted by anyone.
The authentication flow that allows you to do this will not work with users who have MFA enabled / are federated users (on-prem AD/MS account/Guest account) / have expired password.
It trains users to be phished as they really should only enter their password to the actual login page.
So it would be better to use a flow like this:
Your desktop application uses Azure AD Authentication Library (ADAL) or Microsoft Authentication Library (MSAL) to authenticate the user, requesting an access token for your API
Desktop app calls API, API validates token signature, issuer, validity time etc.
It will show the user a pop-up window where they can login, and as a result you'll get an Id token (which tells your desktop app who the user is) and an access token for the API.
We are trying to integrate DocuSign with our product.
Our Scenario: Our organization has a (partner) account. We created an Integrator Key (ClientID) and Secret. We want our clients to use their own accounts (which are not child accounts (Admin - user relationship) to our partner account) for the creation of envelopes and generate signing URLs along with our integrator key and secret.
Steps followed:
Created an account (Partner Account).
Created Integrator Key and Secret.
Our scenario is considered as User Application and using Authorization Code Grant Mechanism to get the auth code.
Clients are redirected to DocuSign portal for getting authenticated. (using authorization code grant mechanism by passing our integrator key as a parameter)
Client grant consent for our application to use their credentials for the creation of envelopes.
Receive the auth code.
Using clients authcode and Partner accounts Integrator Key & Secret, trying to fetch the refresh and access token. But DocuSign API (OAuth/token) is responding back with "Bad Request" (400) as response.
In place of the client account, if we are using same partner account credentials, then API (OAuth/token) is responding back with correct refresh token and access token.
Question: Can an integrator key and secret of one account be used along with the auth code of another account (both accounts doesn't have any relationship(Admin-User)) for fetching the Access token & Refresh Token.
API's Used:
Get Auth Code - https://account-d.docusign.com/oauth/auth (Partner Account (Integrator Key & Secret) & Client user credentials in DocuSign Portal)
Get Access / Refresh Token - https://account-d.docusign.com/oauth/token (Auth Code from previous response & base64(Integrator Key:Secret))
Reason: we don't want to store user credentials or ask users to log in every time when they want to use their DocuSign account in our application. So we want to get consent from a user and store their refresh token with us. Use their refresh token and our integrator key from next time for calling DocuSign API's.
Update
(I work at DocuSign.)
Via additional information supplied to DocuSign, we were able to find our internal logs for the OP's OAuth transaction that failed. We could see from the internal log that, indeed, the problem was that the Authorization Code had expired.
During an OAuth flow, as soon as an application receives an authorization code, it should immediately turn around and use it to get the Access and Refresh tokens, and related information. We will be updating our documentation to state this issue clearly.
Original answer
Everything you're doing sounds exactly right. Especially since the user is receiving the permission screen the first time after logging in to DocuSign via your application.
To answer your question directly: yes, a client id (Integration Key) can be used by an app for any DocuSign user on any DocuSign account.
One idea: is your application requesting the tokens immediately after receiving the authorization code? The authorization code itself times out after a couple of minutes.
You're saying that if User A logs in it works (User A belongs to the account that manages the Client ID), but if User B logs in it doesn't work? I haven't seen that issue before. I'd create a new demo developer sandbox with User C and have them try to login.
Is all of this on demo or production?
Help me please. There are several users in the docusign account. How to send an envelope from their name? What would an envelope be sent not on behalf of the administrator, but on behalf of the user.
You need to use DocuSign's OAUTH user Application or Service Integration to implement the same. DocuSign Authentication Overview has details about each integration type.
OAuth Authorization Code Grant and OAuth Implicit Grant are suitable only for user applications because it requires an end user to authenticate with DocuSign.
Service Integration Authentication uses JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523) to create an access token. It is ideal for service integrations that do not involve a user agent like a browser or web view control. The result is an access token that represents the application or an impersonated user.
Implementing either User Application or Service Integration, you need to get consent of the user for whom you want to send the envelope and envelope will be sent from that user's account and that user will become the sender of the envelope.