I implemented Authorisation Code Grant like the example code provided using passport and it is working fine.
One thing that is confusing me is that when obtaining a new token, passport required authentication.
Are these supposed to be the credentials of our admin account? or, once we go live, is it the credentials of our user who is trying to sign a document (using embedded signing).
Thanks!
When you say
our user who is trying to sign a document (using embedded signing)
note that signers do not need a DocuSign account. They can have one, but they don't need one.
If you want to use embedded signing for a signer who does not have a DocuSign account, use a system account (and JWT Grant) to obtain the Signing Ceremony URL. (A system account can also be used to create the envelope, if necessary.)
Added
A "system account" is a user account in your DocuSign account that represents a generic, system, sender. For example, create a user account "Sales department." Then use JWT Grant (on your backend web server) to impersonate the Sales department user. The result is an access token that your application can use to create envelopes and then have them signed by your website visitors.
The "Sales department" user will be created and controlled by your system administrator. But there is no need for the system administrator to login every morning -- once the system administrator gives consent for the application to impersonate the Sales department user, your application can create new access tokens as needed that impersonate the Sales Department user.
The latter. When using Auth Code Grant, every user of your application will have to log into DocuSign and their credentials will be used.
Read more over here - https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-code-grant
Related
We have done one CRM integration where we as an CRM have our own docusign pro account.
We completed the GoLive process successfully and have all required data like Integration key, Account Id, Client Id and Secret Key for App.
Now this CRM integration will be used as an mediator for our clients who will have their own purchased docusign accounts.
So till now we have 2 accounts,
CRM Integration docusign account with GoLive status.
Client account to send their own documents for eSign through our CRM integration.
What we have achieved till now?
We completed the consent flow where we redirect our clients to docusign consent page where they provide consent to our app by login into their docusign account. In this flow we use CRM integration account id in URL which takes our client for consent page. On confirm the client will be redirected back to CRM with auth code attached in redirect URL.
We use this auth code to get access token for this client. We use CRMs account id, Integration App secret key and clients auth code to get the access token. We are successful in this too. We get clients access token. No Issues.
Now when our client is trying to send a document for eSign using the access token received in step 2 above, the docusign throws an error saying INVALID_USER.
I have referred to this post Simillar Issue it kind of approves of what we are trying to achieve but it is failing with error.
Let me try to explain and make sure it's clear.
The IK (Integration Key) is global for the entire environment. By environment I mean either the developer environment, or the production environment. When you went live and completed the process using a production environment - you made your IK available for any account and any user in the production environment.
Now, when you get an access token to make API calls, this token is for a specific userId. The userId can be a member of one ore more accounts as showed in this diagram:
The userId is provided by the user logging in when given the option to consent. So when you doing your consent flow, there's a web browser and user that logs in, that is the userId that consent.
Separately, when you request a token using JWT grant, you provide a userId, that userId is a GUID for a unique user in the system.
This GUID must be for the same exact production user that gave consent. That's first thing to confirm.
Now, if you already have an access token to make API calls, when you make a specific API call, you need to provide an accountID. That's another GUID representing an account, not a user. The userId that was provided to the JWT Grant flow must represent a user that has a membership (it is a member of) in the account for which you provided a GUID (a user can be a member of more than one account). That is the second thing to check.
Lastly, there's a baseURI that is used to make API calls and it can be different for different accounts. You need to also confirm you are using the correct one.
Some of my application's users have access to more than one DocuSign account. My app is designed to be used with a specific DocuSign account.
Can I specify the DocuSign account during login?
No. With DocuSign, a person authenticates themself as a user, not as a user for a specific account.
However, once the person has completed authentication, your software should use the /oauth/userinfo API call to learn which accounts the user has access to. This API call is also used to learn the user's name and email.
The /oauth/userinfo results will include an array of the accounts that the user is a member of (has access to). The array includes:
the account guid
the account name
the base URL for API calls to the account
whether the account is the user's default account or not
If your application is designed to work with a specific DocuSign account, then your software should check that the user has access to that account and give a clear error message if there's an issue.
If your application can work with any of a user's accounts, then the best pattern is to:
use the user's default account
enable the user to change which of their accounts your application will use
Notes
The /oauth/userinfo API call is available from the DocuSign OAuth service providers:
https://account.docusign.com (production)
https://account-d.docusign.com (development)
The /oauth/userinfo API supports CORS, so it can be used directly from browser-based apps
For context, we are currently developing a DocuSign integration on our DMS web app product. So far what we have done is that the web app's admin (we assume this would be someone like our customer's IT) can set up the integration by entering API Account ID, Integration Key, Secret Key, Access Token & Refresh Token. All these information was taken/generated using a DocuSign admin account. With this, we see that any user using the DMS can send out signing requests (via API) without logging in to their own DocuSign account.
However, we realised this means that all signing requests will be sent using the common DocuSign admin account, i.e. the envelopes originate from the admin account and all signed documents also stored in the DocuSign admin account. This is not what we want as the DocuSign admin can see confidential signed documents.
I'm quite confused and would like to seek advise on how should we go about this? Ideally, it is that User A of the DMS can associate his DocuSign account with his DMS account. So that when User A sends out the signing request from our DMS, the signer receives the email from DocuSign showing it is from that user instead of the common admin account.
Also, it looks like the go-live process would have to take place for each customer that is using our DMS? Does it mean like each customer need to have their DocuSign developer account so that the integration key can get promoted to production environment? Or am I in the wrong direction & should look at Partner Integration as ISV?
If your DMS system is a SAAS system, then you can have 1 integration key (client id) for your integration with DocuSign. In other words, your individual customers would NOT have their own integration keys, secrets, etc.
One integration key is the best, if your application's architecture can support it. To do so, you'll want to have one or just a few Redirect URIs to enable your users (who also have DocuSign accounts) to authenticate with DocuSign.
Your app then stores the resulting access token, refresh token, and expiration date for each of your users who have authenticated with DocuSign.
This way, as you say, when your users send out an envelope for signing, it will belong to their own DocuSign account, and will show them as the sender.
When your customer wants to send via DocuSign, your app checks the expiration date for the person's access token. If the access token has expired, then use the refresh token to get a new access token and a new refresh token.
The refresh token is stored in your app's non-volatile storage (encrypted is best) so you can use it days or weeks later for the user. That way they don't have to re-authenticate with DocuSign. For this case, use scopes signature%20extended
For the account_id info, use the user's default account and enable them to switch to another account if they wish.
More information:
Getting started for ISVs
API integration guidelines
I'm trying to make an app that would make CRUD operations on Users and their Signatures.
I'm able to make an Get request on admin user but on the another user I'll get error
"errorCode": "INVALID_USERID",
"message": "Invalid UserId. UserId specified in request uri does not match authenticated user."
I'm using Authorization Code Grant for getting Access token and API calls instead of SDK.
Your application can impersonate another user if you use the JWT grant.
But, as you've discovered, that user must first grant consent to be impersonated by your application.
To grant consent individually, you must be able to login as the user. (Eg, go through the email verification process used for new user accounts, create a password, etc.)
Consent can also be granted at the organization level if you have Organization Administration turned on and if you've "captured" a DNS domain. SSO is not needed.
When you impersonate someone you can't sign an envelope for them. -- You can't programmatically sign an envelope for yourself or anyone. Signing is only done by real humans.
Exception: the DocuSign Signature Appliance can programmatically digitally sign documents if it is equipped with the signer's public/private key pair. A use case for this feature is digitally signing (many) invoices that are being automatically sent.
My project requirement is as below:
With out any user interaction in browser we need to generate unique URL for each user to sign the uploaded document.
Assume we have a backend java class running in backend and we have to achieve this without any customer interaction.
Problems:
We are not able to follow the steps given by docusign to agree for consent via administrator. We dont see the organization Tab in our demo account.
It says to contact admin - who is the admin for a demo account ?
You don't need User Consent or Admin Consent to sign the uploaded document. Signing is part of workflow, and signing can be done either remote or embedded. Remote Signing means DocuSign will send an email to the recipient (Signers) of the envelope and they have to complete the Signing process from the DocuSign email only. Whereas, embedded Signing is, signers have to come to your App and your App will be hosting the Signing ceremony inside your App, and generating the Signing URL using DS APIs, example of embedded Signing is available here or sample example. In no case, you need User or Admin consent, User/Admin Consent is needed for Sender's authentication normally, where your App want to do something for them on the user's behalf, for instance send an envelope for a user, then you need the User or Admin Consent.
Admin Consent can be achieved by Organization module in DocuSign, in which you have to claim the email domains of the user in DocuSign, these users should have email (DS Username) in the claimed email domain. Using Admin Consent you cannot generate Access token for them if they belong to email domain like GMail, Yahoo, as you cannot claim their domain in DocuSign. To enable Organization in your DS Account, I would assume you would have purchased DocuSign subscription for PROD DS Account, you need to contact your PROD DS Account's Account Manager, and DS AM can enable Organization from backend for your Demo Account for your Dev purpose (Org Admin comes with extra price, so you need to check with your AM if its included in your subscription).