Error are coming on live integration key of docusign
Error while requesting server, received a non successful HTTP code [400] with response Body: O:8:"stdClass":1:{s:5:"error";s:16:"consent_required";}
I was faced issue on demo docusign then i was enable SSO for my DocuSign organization on demo Docusign
Then solved this issue(Error) and working properly on demo docusign .
Because there was Docusign Admin to enable SSO.
But Docusign Admin not available on live docusign account.
How to solved this Error on live Docusign
Error s:5:"error";s:16:"consent_required";
I have done already contact with support team
In order to grant consent, you'll either need to do an Individual Consent workflow for each user, or contact the Sales team to purchase the Admin module.
A more in-depth look at the JWT Consent options is available on the DocuSign blog - https://www.docusign.com/blog/developers/oauth-jwt-granting-consent
The short answer is that Individual Consent is always available, but requires action by each individual user (Access the consent URL, authenticate, grant consent). Admin Consent is only available if you have the Admin module and a claimed domain, but allows an Organization Admin to grant consent on behalf of everyone under that claimed domain.
Is it perhaps because the DocuSign user you use to log into the live system is not (yet) an administrator.
Related
I am an admin on Salesforce and on Docusign. The Salesforce connection on Docusign is actually setup with one of my colleagues username who is also an admin on Docusign. When i try to access Docusign Apps Launcher, i am seeing the following error message.
'You have not granted or have revoked your consent to be impersonated by Docusign Apps Launcher'
Can someone please list the resolution for this issue. As far as what i understand my colleague will have to grant consent from Docusign to be impersonated or even better changing the connection on my name as i plan to manage it on both Salesforce & Docusign.
Today I faced this same problem, I found that by calling the AuthService API you can generate an authorization URL and after granting access everything worked fine.
My steps:
open the developer console in Salesforce
Run this as anonymous code:
System.debug(dfsle.AuthService.getLoginUrl('/lightning/page/home'));
Open the raw log and follow the link
The link will display the authentication buttons and after the process, you can send envelopes as usual.
What you're describing sounds like consent for OAuth token generation, specifically JWT. When the Apps Launcher sends the requests under your username it supplied with payload that contains your Integration Key, userId, scopes and a few other pieces. When DS interprets this it checks to see if consent has been granted by your user for the scopes provided in said OAuth request. If it doesn't see consent, it returns this error message.
Basically we have three ways of fixing this pending on how your account is set up.
Individual consent where you can construct a URL containing the scopes, IK, and RedirectUris -- this allows you to log in and grant consent on an individual basis.
Domain Consent -- if you have an Organization established within our system and a claimed domain attached to it, you can supply consent for any Org users under that domain. So if I own gmail.com for example, I could supply consent for any user.
Org Consent -- this allows you to grant consent to an application across your entire organization.
If you're dealing with a single user it's most likely going to be easiest to go the individual route. An example structure for this would be:
SERVER/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=CLIENT_ID&redirect_uri=REDIRECTURI
Larry also put up a blog post last year that shows these three methods in-depth -- have a look and let me know if you have any questions: https://www.docusign.com/blog/developers/oauth-jwt-granting-consent
Regards,
Matt
I encountered this issue with a DocuSign Admin user and found out that Edge was blocking a popup. The user finally got the "Authorize" screen when they went to Chrome and allowed notifications.
I've developed an invokable Apex method that leverages the DocuSign Apex Toolkit for preparing and sending an envelope via a Salesforce flow.
The only issue I'm having is when it is invoked by a Salesforce user, that has been added as a DocuSign user, but has not yet gone through the OAuth flow to connect Salesforce to DocuSign for their user account.
A workaround is that I have that new user click a standard "Send with DocuSign" button an any record, which then shows the "Before you can use DocuSign, you must grant consent for this application to make requests on your behalf." message and a button to start and complete the OAuth flow. Once this is done I can go back to my flow and it will successfully complete as that user.
Any ideas how I can "pre-authorize" users, or check for authorization as part of the flow (is this data stored in Salesforce), or at least find a way to get to this "Authorize" screen in Salesforce without needing to begin the process of sending an envelope?
Thanks
Matt
Yes, the administrator for the account can grant "blanket" consent, known as administrative consent, for the relevant integration key (client id) and scope(s) needed by your application.
To do so:
The account needs the Admin feature Access Management with SSO You can have this feature enabled for your developer sandbox account by email request to go-live#docusign.com. Contact your DocuSign account manager for adding the feature to a production account.
You need to claim the email domain for your users.
Use the Admin tool's Connected Apps tile to grant administrative consent to your users in the claimed to domain to the application.
The above assumes that you are supplying the integration key to your Apex application.
If you're using an integration key supplied by DocuSign, then you also need to use the Admin consent for external applications API.
If you're using an integration key supplied by DocuSign as part of a DocuSign for Salesforce product, then I would first ensure that the product is enabled for everyone in your account; that may take care of your app's consent issue.
Re: detecting if consent is required
DocuSign responds with a specific consent_required error if consent is needed. So check the error response of your call. See APIError
This is in regards to DocuSign.
We will be using JWT OAuth approach for authentication in our project,currently for the first time, User Consent is required to be provided before it generates the JWT token via code/API (see snapshot).
My question is can we bypass this first time user consent either in our code or some other technique so that the flow is smooth right from the first instance.
The link I referred is :https://developers.docusign.com/esign-rest-api/guides/authentication/obtaining-consent
enter image description here
Thanks in Advance.!
Atul
Yes, if you have Organization Administration enabled for your DocuSign account then you can proactively grant consent for some or all of the users in your account.
Talk with your DocuSign contact to try out Organization Administration.
My project requirement is as below:
With out any user interaction in browser we need to generate unique URL for each user to sign the uploaded document.
Assume we have a backend java class running in backend and we have to achieve this without any customer interaction.
Problems:
We are not able to follow the steps given by docusign to agree for consent via administrator. We dont see the organization Tab in our demo account.
It says to contact admin - who is the admin for a demo account ?
You don't need User Consent or Admin Consent to sign the uploaded document. Signing is part of workflow, and signing can be done either remote or embedded. Remote Signing means DocuSign will send an email to the recipient (Signers) of the envelope and they have to complete the Signing process from the DocuSign email only. Whereas, embedded Signing is, signers have to come to your App and your App will be hosting the Signing ceremony inside your App, and generating the Signing URL using DS APIs, example of embedded Signing is available here or sample example. In no case, you need User or Admin consent, User/Admin Consent is needed for Sender's authentication normally, where your App want to do something for them on the user's behalf, for instance send an envelope for a user, then you need the User or Admin Consent.
Admin Consent can be achieved by Organization module in DocuSign, in which you have to claim the email domains of the user in DocuSign, these users should have email (DS Username) in the claimed email domain. Using Admin Consent you cannot generate Access token for them if they belong to email domain like GMail, Yahoo, as you cannot claim their domain in DocuSign. To enable Organization in your DS Account, I would assume you would have purchased DocuSign subscription for PROD DS Account, you need to contact your PROD DS Account's Account Manager, and DS AM can enable Organization from backend for your Demo Account for your Dev purpose (Org Admin comes with extra price, so you need to check with your AM if its included in your subscription).
I'm developing an integration that needs admin consent, without the interaction of a user. I see that in order to give consent to an application I need to do that from the organization dashboard.
The problem is that the demo account doesn't have organization features nor the organization dashboard.
When using JWT Token auth with DocuSign you need to grant consent one-time as you have mentioned, there are two ways to accomplish this:
Using Organizations Interface (which is an Enterprise level feature).
Initiate the request through the API
When going through API the user still needs to interactively grant consent through a browser however the request is initiated through DocuSign's Authentication Service.
See here for steps to take to grant consent through the API:
https://docs.docusign.com/esign/guide/authentication/oa2_jwt.html#granting-consent
In terms of the User Consent vs. Admin consent part of your question, they are actually the same thing the only difference is that the admin consent is done through the admin console and can apply to all users, the user consent is on a per user basis.
If you don't want the individual users to grant consent then you must use the organization admin panel to give consent.
To have organization administration added to your demo/developer sandbox account, please ask your DocuSign sales or technical contact to have it added.