I have built an integration with the Docusign API, but am unable to successfully complete the JWT auth flow with our production account.
Everything works fine in our sandbox account - I went through all the steps described in the docs (https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken),
and successfully promoted the integration key to our production account.
However, with the production account, running through the same code to initiate the JWT results in a 400 Bad Request error, with no additional information about the nature of the failure. I've double checked that we are using the correct oauth base domain (what Docusign calls aud) and that RSA keys and redirect URLs are correctly
configured for the production account.
I've also gone through all of the "go live" steps, except for one which mentions migrating users, since it doesn't seem
like this functionality is available on our production account dashboard. On the sandbox account, which has all enterprise features enabled,
the sidebar has a section for "Users and Groups" but there is no such section on our production account.
I'm wondering if the root of the problem is that our production account, which is the Basic API level account, doesn't have adequate permissions
to support the use case I'm building for.
Unfortunately I can't get a straight answer from either account reps or tech support folks as to whether this is true.
are you trying to use the same RSA key you used in Sandbox in Production by any chance?
Also, did you actually get your IK certified and active in production?
Related
I am trying to setup Web Security Centre for my Google AppEngine App.
I tried using Google as well as Non-Google Account for Authentication where I provided Username and Password but it errors out saying
Could not sign in using the provided username and password
I tried below things:
Tried creating a test account vikash-security#gmail.com (in compliant with google naming convention) in my gmail and using the same for authentication. (this user had same domain name as my company's)
Created a test user with different domain name and used it for the authentication.
Both the above users have access to my Google App.
Both of the way did not work and throws the same error. Can anyone help me out with the same?
Google enforces a real name policy on G+ accounts. Your test account may be blocked from G+ if the name does not look real. at [1]. It will only work if the Google account you provided should have been G+ verified (with proper G+ setup), but still need to retry after the first failed attempt and it eventually will work.
There are few issues related to this and if this is a bug it will be resolved soon.
I raised this concern with the Google support team and got to know that there was issue from their end and they got this fixed and now my web security custom scan is working with non-google authentication.
I'm seeking your advice to piece together a mechanism that would facilitate authentication to Dialogflow ES and CX to allow running experiments on multiple agents (projects) from our workbench application in a smooth and error-proof manner. The workbench is an internal tool written in TypeScript (using the dialogflow RPC node module) running outside of GCP. Our users analyze the results of sending the same inputs (utterances) to multiple agents, usually going back and forth between them in the course of their work.
With proper IAM configuration, we have been able to detect intents successfully by doing a gcloud auth application-default login, however we haven't found a way to update the quota project programmatically or to specify the quota project through the google.cloud.dialogflow library, so we haven't been able to fix the "switch easily between projects" part. It looks like tampering with the quota_project_id property in application_default_credentials.json once authenticated is the way to go (gcloud auth application-default set-quota-project <project>) but we would have preferred doing this programmatically.
Using service account keys (JSON) works as expected and that's what we have been doing so far, that's also what we do in our CI/CD pipeline and in our agents running in production. But we aim at reducing the amount of service account credentials file that we share with individuals. Ideally, speech/data scientists would use their own end-user credentials to perform experiments.
We are looking for alternatives so that users would authenticate once with gcloud auth application-default login and the workbench would handle the rest behind the scenes, using only, as additional argument, the project-id against which the experiment must be run. This would eliminate the need to pause the experiment to update the quota project (using set-quota-project), or to update the GOOGLE_APPLICATION_CREDENTIALS variable when using service account keys.
Another thing we tried was Service Account Impersonation, unfortunately this does not seem supported by the google.cloud.dialogflow library, so even though we were able to successfully submit requests (with Curl/Postman) to the Dialogflow RESTful API using impersonation, we haven’t been able to leverage this mechanism in our code.
Has anyone been able to overcome a similar challenge? Is there any other authentication mechanism that could help us achieve this goal?
According to the new Gmail OAuth policies, certain authentication scopes require a new App Review process.
I want to replace the restricted scopes I'm currently using with just one non-restricted scope.
Does this mean I can simply skip the verification process? Or does this mean other granted scopes like the one from drive ('https://www.googleapis.com/auth/drive') will be revoked or will my app will get an "unverified" screen?
According to the FAQs, you do not need to request for verification if your app is going to be used in any of the following scenarios:
The app is not shared with anyone else.
The app is used to send emails through Wordpress, or similar single
account SMTP plug-ins.
The owner and users of your apps belong to the same G Suite domain or
customer.
The app is trying to access data from users' Google Cloud Platform
project. For instructions on using a service account, see Using OAuth
2.0 for Server to Server Applications.
As for your second question, if your app uses sensitive scopes or does not fall in the above scenarios, then yes, your apps will get the Unverified App screen.
If you don't publish your app for review:
If your public application uses sensitive scopes that permit access to
certain user data, users of your application might see anUnverified
App screen.
To protect users and Google systems from abuse, applications that use
OAuth and Google Identity have certain quota restrictions based on the
risk level of the OAuth scopes an app uses. Failure to get your app
verified might result in your project quota getting exhausted. Learn
more about Unverified Apps.
You can visit the FAQs if you have other questions.
If you request scopes that Google considers sensitive, you will most likely be denied approval. It is better to limit the scopes that you request to just the ones for identity.
If you don't your app will have this big warning that your app is not trusted while you wait for approval. Then your app will be denied.
Eliminate scopes until the request approval button is disabled. Once your scopes are limited to the point that Google does not require approval for your app you will be OK.
Please ensure you have added all the scopes used by your app on OAuth Consent configuration screen in Google Cloud Console. Once you have done that, screen should flag you the scopes which need to go through verification.
Even if your app doesnt use any restricted scopes, it may be using some sensitive scopes for which you will have to go through OAuth verification process.
Hope this helps.
I have an application that uses the DocuSign API (the NodeJS SDK, specifically) and got everything working perfectly on the demo sandbox. The Docusign people certified the app for production.
I followed the "Go Live" documentation and changed the endpoint from https://demo.docusign.net/restapi to https://www.docusign.net/restapi in my apiClient.setBasePath(), however, I'm getting a USER_AUTHENTICATION_FAILED error.
The username and password have been set to the same as on the demo sandbox, so I know they are correct. Also the IntegratorKey is the same as the demo sandbox, and after they certified the app, I can now see it in my production account.
Here is a pastebin of the error
Any assistance would be greatly appreciated!
This is most likely a baseUrl issue, you should be parsing the baseUrl that is returned in the login API and using that as the base for subsequent API requests in production.
In your developer sandbox (ie demo) environment all URLs start with "https://demo.docusign.net/" which is why all your test calls work in demo, in the live production system the account URL will vary based on user and which data center their live production account resides on.
You need to parse the baseUrl value that is returned from the Authentication:login API and use that as the base for subsequent DocuSign API requests, or use the base_uri value if using OAuth.
I ran Google Cloud Security Scanner against my Google App Engine app. I asked it to authenticate against a "Non-Google Account" -- in other words, user-name/password fields in my webapp. However, I get back the message "Could not sign in using the provided username and password" each time.
(I tried it several times, specifying different user-agents and credentials and against two variants of my login page; and of course confirming that the credentials work when typed in manually. I have the necessary Editor-level permissions on the Google Cloud project.)
What do I need to do to get the Scanner to authenticate?
Here's what the docs say about Non-Google account authentication:
Note that support for login forms is still in development, and may not
work out-of-the-box with your system. If you have confirmed your test
account is able to login manually, but not in Cloud Security Scanner,
use the feedback option within the tools to request support.
One possible workaround is to create a simplified alternative login form for the purposes of using the scanner if it's unable to work with the current one.