I'm setting up a document esigning process using Docusign. Since we have multiple associations, We have setup multiple accounts (around 20 APIAccountID under one organization (or you can say as one INTEGRATOR_KEY_ID)) one for each association. Can someone please let me know on how do we switch to different APIAccountID based on the request we get. Also, is it the right way to create a new DocuSignConnection every time when we get the request for different association ?
Your integration should use just one INTEGRATOR_KEY for the entire integration. When using one of the DocuSign OAuth flows such as JWT as you mention.
After the user grants access by providing their credentials and clicking Accept an access token will be sent back to your app (at the redirect URI you specify on your integrator key).
You then use that access token to call the User Info API which will return account ID for that given user.
User Info API
Request:
Authorization: Bearer eyJ0eX...MrhIddzBAQ
GET https://account-d.docusign.com/oauth/userinfo
Response:
{
"sub": "4799e5e9-1559-4915-9862-cf4713bbcacc",
"name": "Susan Smart",
"given_name": "Susan",
"family_name": "Smart",
"created": "2015-08-13T22:03:03.45",
"email": "susan.smart#example.com",
"accounts": [
{
"account_id": "a4ec37d6-04aa-4f37-86c2-143885c220e1",
"is_default": true,
"account_name": "Susan Smart",
"base_uri": "https://domain.example.com",
"organization": {
"organization_id": "9c5fb8e1-b0bf-4970-8e0e-054ff8a249bf",
"links": [
{
"rel": "self",
"href": "https://account.domain.example.com/organizations/9c5fb8e1-b0bf-4970-8e0e-054ff8a249bf"
}
]
}
}
]
}
You have one application which sends signing requests on behalf of multiple associations (organizations)?
As Ergin says, your application will have one integration key which will be used for all associations.
When a human logs into you app using OAuth Auth Code Grant, your app receives an access token. You can use that access token to look up the user's account and site (API URL).
Your application can make sending requests for any number of people and their associations. Each API request includes the user's individual access token, their account_id, and uses the site data to create the URL.
HTH.
Related
I want to be able to create a new user in our Azure B2C instance using their preferred email address as the username they will use when accessing our web portal.
I'm using the Invitation Microsoft Graph API to invite new users This sends them an email and they then signup with us. This however assigns them a unique username using a combination of their email and our domain i.e. myemail_adomain.com#EXT##our_verified_domain.com.
This leads to a terrible UX as users need to remember this very unmemorable username. Remembering passwords is enough of a challenge for users as it is.
If I create a user inside the Azure B2C portal I can give them any email address I want and not one of our verified domains using Create Azure AD B2C user
I want to be able to use this method but via an API.
The first 2 options, Create and Invite user, are available via the Microsoft Graph Inviations API
and the Create User API but I can't find a way to do option 3.
The Create API won't allow unverified domains and the Invite API creates the unique username which is very user unfriendly.
Does anyone know how I can do this?
The other option is to get them to signup themselves via a signup user flow but I'd rather avoid this as I want control over who is allowed to sign up.
• You can surely create a user in Azure AD B2C tenant through Microsoft Graph API by following the below documentation link for that purpose: -
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http
Ensure that you have ‘User.ReadWrite.All’ and ‘Directory.ReadWrite.All’ permissions for ‘Application’ and ‘Delegated’ permissions type and the same permissions are consented for Microsoft Graph API in the explorer also with ‘Admin Consent’. Once, these are done, then execute the below command in Graph API as shown below: -
POST https://graph.microsoft.com/v1.0/users
Content-type: application/json
{
"accountEnabled": true,
"displayName": "Adele Vance",
"mailNickname": "AdeleV",
"userPrincipalName": "AdeleV#contoso.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "xWwvJ]6NMw+bWH-d"
}
}
As you can see, I don’t have sufficient privileges, so I can’t create a user in Azure AD B2C tenant.
The output will be as below after successful execution of the above Graph API command: -
HTTP/1.1 201 Created
Content-type: application/json
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd",
"businessPhones": [],
"displayName": "Adele Vance",
"givenName": "Adele",
"jobTitle": "Product Marketing Manager",
"mail": "AdeleV#contoso.onmicrosoft.com",
"mobilePhone": "+1 425 555 0109",
"officeLocation": "18/2111",
"preferredLanguage": "en-US",
"surname": "Vance",
"userPrincipalName": "AdeleV#contoso.onmicrosoft.com"
}
I am building a CLI tool and want to create a new programmatic user for each end user.
I.e. Joe Bloggs signs up with username and password but also has a client_id and client_secret which can be used in the CLI.
Is it possible to create this kind of user in Auth0 and if so, how can I create it programmatically?
It looks like I can use this to create users via the API and do something like:
axios({
method: "POST",
baseUrl: "https://<tenant>.eu.auth0.com,
uri: "/api/v2/users",
body: {
"email": "john.doe#gmail.com",
"phone_number": "+199999999999999",
"user_metadata": {},
"blocked": false,
"email_verified": false,
"phone_verified": false,
"app_metadata": {},
"given_name": "John",
"family_name": "Doe",
"name": "John Doe",
"nickname": "Johnny",
"picture": "https://secure.gravatar.com/avatar/15626c5e0c749cb912f9d1ad48dba440?s=480&r=pg&d=https%3A%2F%2Fssl.gstatic.com%2Fs2%2Fprofiles%2Fimages%2Fsilhouette80.png",
"user_id": "abc",
"connection": "Initial-Connection",
"password": "secret",
"verify_email": false,
"username": "johndoe"
}
})
However, this appears to be for creating an end user: Create a new user for a given database or passwordless connection. as opposed to a CLI type user which can use a client_id / secret.
Does anybody know if I can create this kind of user in Auth0?
The client_id and client_secret that Auth0 issues to Applications (known in the API as /Clients) are for machine-to-machine interactions with Auth0, not with your own service. They allow a trusted backend service to manage the users within Auth0. Or, they allow an Application to initiate a user's OAuth2 authentication flow.
It sounds like you are looking to avoid an OAuth2 authentication flow and provide a static API key, not for Auth0, but for your own service. Auth0 may be overkill in this case, but you can roll your own solution using Auth0, or any user store. One suggestion is to manually generate an API token for new Auth0 users and store them in the users' app_metadata. When your CLI provides a username and API key to your backend service, your trusted backend service can use its Auth0 client_id and client_secret look up the user in Auth0 and confirm that the API key in the app_metadata matches.
Also note the existence of the Resource Owner Password Flow. It would allow your CLI to provide a username and password directly to Auth0 on behalf of your CLI user. The API token that you generate can be set as the user's password.
I am working on creating a user in azure ad. For this, I am using microsoft graph API https://graph.microsoft.com/v1.0/users. Below is the json post I am using:
{
"accountEnabled": true,
"displayName": "test",
"mailNickname": "test",
"userPrincipalName": "test#mytennantname.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": false,
"password": "<password>"
}
}
Using above data, I am able to create user in azure ad. User is also able to sign in using test#mytennantname.onmicrosoft.com. I wanted to know if is there any way I can save the external email id of the user for ex test#gmail.com in azure, so that he can use test#gmail.com to sign in. Please help. Thanks
If the domain, e.g. gmail.com is not in your tenant's verified domains, you cannot "create" the user.
You will need to use the B2B invitation features to invite the user.
That's this API: https://learn.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=http.
So you will need to make a POST to /invitations with a request body like:
{
"invitedUserEmailAddress": "test#gmail.com",
"inviteRedirectUrl": "https://myapp.com"
}
Note these are the 2 mandatory properties, you can check what others are supported in the docs.
The redirect URI is where the user will be sent after they accept the invitation through the link they receive.
When you call this API, an email is sent to the user with a standard content.
I'm using the https://accounts.google.com/o/oauth2/auth? endpoint to obtain the id_token.
The scopes are openid profile email.
The problem is that when I try to verify that id_token I get iss, azp, aud, sub, email, email_verified, iat, exp, jti. And as you can see there is no any profile info like given_name, family_name, picture.
The official doc says that it should contain profile info:
// These seven fields are only included when the user has granted the "profile" and
// "email" OAuth scopes to the application.
"email": "testuser#gmail.com",
"email_verified": "true",
"name" : "Test User",
"picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
"given_name": "Test",
"family_name": "User",
"locale": "en"
All permissions are granted.
UPDATE
So in case anyone ever needs it.
As Vladimir Serykh mentioned, to get profile info we need to hit the /userinfo endpoint. But this endpoint takes access_token as a Bearer token in a Authorization header, so you need obtain that too.
So basically we need to call the OAuth2 with the response_type='id_token token' query parameter. After that the responseUrl will contain access_token too.
Next you just need to call the https://openidconnect.googleapis.com/v1/userinfo endpoint with a Authorization header set to Bearer your_access_token. You will get a response wiht the profile info:
"sub": "user_id",
"name": "Name Lastname",
"given_name": "Name",
"family_name": "Lastname",
"picture": "pic_url",
"email": "example#gmail.com",
"email_verified": true,
"locale": "en"
Thank you again, Vladimir Serykh
It's not very clear how old the documentation is (by the link you provided) and is it relevant to your case.
I know that different Identity Providers can work slightly different. And I know cases when you should make a separate call with obtained ID token to /userinfo endpoint to get user info.
There is some different Google documentation for Google Identity Platform.
It has description of ID tokens.
https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
Google ID Tokens may contain the following fields (known as claims):
Notice that it doesn't have always in Provided column. I think that it could be different for different APIs.
The same docs have section "Obtaining user profile information"
It explains where to get the /userinfo endpoint URL and how to call it. In the response you should receive the info you need.
My guess why it's not working in your case is that you are using /tokeninfo endpoint. It's not a part of OpenID Connect standard. It just validates the token and parses it (does the same job as https://jwt.io). And the original ID token doesn't contain that claims for some reason. Therefore /tokeninfo endpoint doesn't return them to you.
But according to Google's documentation and you should use /userinfo endpoint to obtain user info claims.
You can find description of this endpoint in OpenID Connect specification:
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
5.3 UserInfo endpoint
The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication.
I am trying to use Google OAuth authentication for Mobile App hosted in Azure, but getting user ID (SID) in different formats.
When I access the API from browser directly, I'm redirected to Google login page, and after authentication the next request to my API comes with the headers:
"x-ms-client-principal-name":"pavlolissovtest#gmail.com",
"x-ms-client-principal-id":"108491597139717511334",
"x-ms-client-principal-idp":"google",
"x-ms-token-google-access-token":"ya29.Ci9-A-oE8p4vVelYhRKqjMKY6KGxeW4OtXT-KGtBO3AxsiBqiCawn8sxL-qg4msWrw"
In Windows Phone App (authentication with WindowsAzure.MobileServices.MobileServicesClient), when logged with the same account, request comes with different headers:
"x-ms-client-principal-id":"sid:3fc89f071b7cb8f18919614ac46d3636",
"x-ms-client-principal-idp":"google",
"x-ms-token-google-access-token":"ya29.Ci9-AxC3kfrYrV8ssLUkbwFJJYDPsklsUH7r3HG0f6KB_wWzXV9AqE_wGPASiYxcWQ"
So now I have different principal ids for the same user account.
If now I call https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=, for both tokens I get the same result:
{
"azp": "1083509260178-cntp3794bggcs5dtkse0mtbvpqigoa78.apps.googleusercontent.com",
"aud": "1083509260178-cntp3794bggcs5dtkse0mtbvpqigoa78.apps.googleusercontent.com",
"sub": "108491597139717511334",
"scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
"exp": "1476643317",
"expires_in": "3161",
"email": "pavlolissovtest#gmail.com",
"email_verified": "true",
"access_type": "online"
}
This allows me to identify the user whatewer login option is used, but is it really correct to call googleapis for each request? What is the proper way of identifying the user from headers, or maybe converting one value into another?
And what is the meaning of having these values different?
Thanks for your advice!