We are developing application for e-signature on PDF for different users of oru system, which call many docusign APIs and we try use JWT to authenticate the APIs. I able to get token. But I have doubt on one parameter of JWT request body. I refer link https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken.
What do you mean by "The user ID of the user to be impersonated.", I used API account user id.
Please refer my previous query Signer URL for an envelope - calling docusign API and getting 400 bad request error. I think, this is not correct what I use to pass here. However I am getting token.
Please let me know if you want to know more details.
"The user ID of the user to be impersonated." means exactly this, you can impersonate a user or "act on behalf of the user" by providing his userId in the JWT call.
So the impersonated user will be the sender of the envelope.
If you use your account userId you will be acting as the sender
Related
I am doing service integration with DocuSign platform using JWT Grant auth type. DocuSign account has multiple users setup.
My service is SendEnvelopService and one of the important request param to the service is user email. SendEnvelopService need to impersonate user with given email-id when calling DocuSign and send envelope in behalf of that user. Note that every request to SendEnvelopService will have different value of email request param.
I have following questions around it -
Question#1) Since I need to impersonate different user every time (based on email id in my request), I assume I need to get new JWT auth token every time, before making actual api call. Is that right? Is it usual and ok to request new JWT auth token so frequently before every api call? Does it raise any integration concerns with DocuSign?
Question#2) In my request, I have email id of the user to impersonate. I don't have user's GUID which I need, to get JWT auth token and impersonate it. Is there any api that I can use to get user GUID by email id? I wonder what kind of authentication will be needed for such api because I don't have JWT auth token yet.
One idea I have is may be I need to setup one admin user in DocuSign and keep admin userId (GUID) in application config. Now I have 2 users, one is admin user and another is request user which I have email from the service request. I can following steps -
Do requestJWTUserToken impersonating admin user. We get
oAuthTokenAdmin
Using oAuthTokenAdmin make
https://developers.docusign.com/esign-rest-api/reference/Users/Users/list
api call to get userId (GUID) of request user email.
Now do another requestJWTUserToken impersonating request userId. We
get oAuthTokenUser
Now make actual api call using oAuthTokenUser and to send envelope
Go to:
https://admindemo.docusign.com/
Log in with your demo (sandbox) credentials.
Then you have two options:
If it is only for you, simple thing is to click "API and Keys" page under Integrations on the left nav.
You will see this:
You can also click on "Users" on the left and select the user you want, any user really, doesn't have to be you.
then you'll see it under this:
For your first question, no, you don't have to do that. You can use the same user for all API calls. Especially if this user is an admin, then you can do all API calls under that context.
We are looking at the DocuSign API integration using .NET.
I've managed to send an email from this correctly and added fields to the form programmatically however I could do with knowing how to use the Send On Behalf feature.
It looks like in the APILogin() function I need to add a default header called X-DocuSign-Act-As-User and then the email address (SOB is enabled on the API account). But then it says I need something to do with a token for this user? But not sure where I get this from?
Thanks,
Alex
X-DocuSign-Act-As-User header is only applicable when using OAuth tokens. For non-token usage, add the X-DocuSign-Authentication header.
Example from the GUIDE:
X-DocuSign-Authentication:<DocuSignCredentials><SendOnBehalfOf>bob.smith#gmail.com</SendOnBehalfOf><Username>{name}</Username><Password>{password}</Password><IntegratorKey>{integrator_key}</IntegratorKey></DocuSignCredentials>
Where {name} is the email address of your API Initiator and {password} is the password of your API Initiator. Those credentials are used to authenticate the API call, but the envelope will be created and owned by "bob.smith#gmail.com" as the Sender.
Note 1: "bob.smith#gmail.com", i.e. the on-behalf user, must be an account member with "send envelopes" permissions.
Note 2: API Initiator credentials - recommendation is to use API Name (the User's GUID) rather than email address, and use the "encrypted password" instead of the plain-text password. This is retrievable via the login_information API call. These forms of the credentials are not useful for logging into DocuSign via the Web interface.
I am using Passport to register/authenticate using Facebook.
When oAuth is successful, I am returned:
accessToken
refreshToken
profile
Now... when a user successfully registers using Facebook, I store accessToken and the profile info.
When somebody wants to login, and goes through the oauth motions again, my app once more gets accessToken and profile.
Trouble is, accessToken is different. I actually expected the accessToken to be the same after the first authentication...
At this point, I am connecting my own local user with the facebook's id field from the profile. But... how would I actually use accessToken? Does it even make sense to keep it? If so, why would I actually keep it?
I actually expect accessToken to be the same, and use that to match a successful login. I obviously can't do that... so I am confused!
You need to keep accessToken if you want to query facebook's API on behalf of your logged-in-via-facebook user. If you want to use facebook just for login only, you can discard it. If you want to ask facebook for the user's most recent status update, for example, you need to include that accessToken as a parameter when making that API call. The point of the accessToken is that it allows a set of operations on behalf of a user, but it expires so if it falls into the wrong hands it cannot be used to cause as much damage as a permanent token or the user's actual password. It will be different every time by design.
You should store facebook Id. It should be in the profile object. Access token will change according to facebooks policy of authorization. What you should be doing is
Get the user to login through facebook
Check their facebook id against the facebook id in your database.
Access tokens expire frequently as described here
During connected app integration user is redirected to a callback url provided by application developer. At the last step of authentication it is written that "Save this access token for this user in your database." . But the problem is you do no get userId during this authentication process.
https://developer.foursquare.com/overview/auth#access
I get authentication code but can not access userId. How can get userId of authenticating user...
regards..
Once you have the access token, you can make a request to the users/self endpoint to get any information about the user associated with that token, including the user's id.
I'm using Token Flow as described here https://developer.foursquare.com/overview/auth
User authenticates foursquare and is sent to a callback page on my server from which I parse the access token for that user out of the url.
Once i have this access token, how do I look up the user so I can grab her uid?
thanks
Use the /users/USER_ID endpoint with user id "self" to get information about the acting user.