I am trying out Docusign sandbox environment in which I have created an integrator key with appropriate redirect uri
When I request the api:
https://admindemo.docusign.com/oauth/auth?response_type=id_token&scope=open_id&client_id=<integrator-key>&state=custom&redirect_uri=https://webhook.site/1b7aba4c-f96f-41e1-922d-2d8d38392208&admin_consent_scope=impersonation
Docusign does not redirect to the redirect-url, but opens the Docusign admin page.
If I request the URL:
https://account-d.docusign.com/oauth/auth?response_type=id_token&scope=open_id&client_id=<integrator-key>&state=custom&redirect_uri=https://webhook.site/1b7aba4c-f96f-41e1-922d-2d8d38392208&admin_consent_scope=impersonation
Then I get the error:
You are not an organization admin. Please contact your DocuSign Administrator
response_type=id_token is invalid. The response type should be code. Unfortunately, the 'Obtaining Consent' documentation still references this incorrect value.
scope=open_id can only be used if your account is associated with an Organization, and if you are an Organization Administrator. If your account is not under an Organization, you'll need to use the individual consent workflow, which means scope should be signature impersonation and the admin_consent_scope parameter should be removed.
If you would like to create an Organization in the sandbox environment, you will need to open a case with DocuSign Support requesting that functionality be added to your Demo account. To have that enabled in Production, you'll need to contact your Account Manager or the Sales team.
Your question is not so clear -- please update your question if this answer is in the wrong direction.
I think you are trying to implement the oauth authorization code grant flow and are having a problem.
The starting url for DocuSign for the oauth auth code grant flow:
For the developer sandbox environment: https://account-d.docusign.com/oauth/auth
For the production platforms: https://account.docusign.com/oauth/auth
Also, why are you including the admin_consent_scope query parameter?
Hopefully this answer regarding the correct url will help. If so, then ask a NEW question if you run into any future issues.
Developer documentation
Related
I am trying to implement the clickwrap process and am using the php SDK.
When going through Auth via the Authorization Code Grant method and as part of the process it is asking for a login before completing the process. I've used my dev account details however why is this step needed as we are already passing through various keys/id?
Is this specific to the development environment or will this also happen in prod?
What will be presented to the end-user who does not have a Docusign Account?
I understand the 'obtain user consent' and can work that into the workflow but this is confusing.
I have worked through the Quickstart app as well and that has the same process. Have I misunderstood something?
If you want a page on your application to include a DocuSign clickwrap agreement, then you do not need to use the Click api. (It really should be named the Click Management API.)
What you do: follow the instructions for adding a clickwrap agreement shown in the Click User Guide.
The Click Q & A page is also helpful.
The "Click API" is only needed if you want to programmatically look up the Click agreements, modify the Click configuration, etc.
If you're just building an app that would ask for user to agree to a clickwrap using DocuSign Click, you won't need the end-user to authenticate.
I suggest you look at https://myclickwrap.sampleapps.docusign.com/myclickwrap/ and the code in GitHub.
Your app needs the creds to make API calls, but you could use JWT for example with one-time consent and your APP will not make these API calls on behalf of anyone, but just for the one user that the account uses.
All of this is the same in the developer env or production.
My use case is thus:
I will have access to a single DocuSign account which would belong to Acme Inc. (I am currently using a sandbox account).
Acme Inc. has many branches, each with it's own employees with different documents that they must sign depending on which branch they work in.
From my internal application, the Admins of the branches will upload documents and set the emails addresses that the documents must be sent to.
The employees will complete the signing ceremony after following the link in the mail that they will receive.
MAIN ISSUE - Once the signing ceremony is complete, I require the employee to be redirected to a certain page of the internal application where they must complete some additional steps.
What I have so far:
I ran the example provided here. The issue with this is the permission request. I do not want an access prompt, rather, I want this done in the Admin Panel itself so that requests to the DocuSign API from my Server Application contain a valid token or receive a new one in case the existing one has expired. I saw from here that the JWT Grant system fit my use case, and I ran that using consent from a single user, however, I am stuck trying to figure out how to redirect the signer (employee) to the page I want with some parameters in the redirection URI. This can be as simple as the one provided (state=123) in the (eg-01) Embedded Signing example provided with the Auth Grant sample.
I apologize for not having any code snippet to show as I have not integrated anything into my internal application as of yet, I am merely running the code from the GitHub examples. Please let me know if I need to provide any additional information in order to facilitate your understanding of my requirements.
Any help provided would be much appreciated!
I think your main issue is the authentication type you are using.
You used the example showing Auth Code Grant, which does require users to log in.
You could instead use JWT (JSON Web Token) which does not require that (only once, and that can be done by you).
The code for making APIs and redirecting after signing ceremony etc. is the same. All you have to do is change the code that was used to obtain the access token (and also you need some configuration changes).
You can find nodeJS example of JWT here - https://github.com/docusign/eg-01-node-jwt
If you want to read more about JWT - https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken
I am using the sandbox account and trying to setup an eNotary Profile. Being that its a sandbox area, I would assume that I don't need a valid notary ID to create one.
Can someone help me setup a Notary Profile on my sandbox account?
QA Question Newly Added: Will ALL test users have to go through this same process? or is it just the main account needs it setup. Reason being, we have a client that will be using the system. For our teams, and their teams, we will need accounts to test this.
Added Image
I assume you are talking about IDV which is a special kind of recipient authentication that require them to use an ID before they can sign a document.
This feature is not available in the sandbox normally because there's cost associated with each transaction.
We may be able to assist you on a case-by-case basis if you have a legitimate need to test this functionality in the developer sandbox.
see https://developers.docusign.com/esign-rest-api/guides/concepts/recipient-authentication for more information about recipient authentication.
Setting up eNotary requires some back-end switches to be flipped on your account. Please open a Support Case requesting that be enabled and provide your Demo account ID.
We are allowing users who have created their accounts with DocuSign directly to connect to an integration we are providing. As a result, we have no control over the account settings in place for each account created.
We are using the SOAP API and our header is comprised as the following.
r.Headers.Add("X-DocuSign-Authentication",
string.Format("<DocuSignCredentials><Username>{0}</Username><Password>{1}</Password>" +
"<IntegratorKey>{2}</IntegratorKey></DocuSignCredentials>",
Email, Password, IntegratorKey));
On envelope creation everything works, however, on the following calls; RequestRecipientToken, RequestUrlSenderToken, and GetAuthenticationToken we are receiving the following error message, "This User lacks sufficient permissions. Fail to resolve SendOnBehalfOf user".
Do accounts created with DocuSign have the API rights enabled automatically? If not, how do you suggest we instruct them to enable them?
Is there a programmatic change we can make to avoid the issue?
It sounds like the BehalfOfUser may be lacking the proper permissions.
The DocuSign user associated with the element in your request must have the following permissions activated/checked in their DocuSign permission profile. As an DocuSign administrator select Preferences > Users. Find the send on behalf of user. Open their profile and check the permissions associated to them.
1) Within the Sending and Signing section, check 'Send Envelopes'
2) Witin the DocuSign API section, check 'Sequential Signing (API)'
Our implementation was correct but we were passing the wrong variables for that particular user. The header listed in the question can be followed for future implementations.
I have developed an integration using docusign SOAP API. We had the integration certified. It works great using the demo API URLs and my dev account. When I update the API URLs to production and use my live production account I get the return status of "One or both of Username and Password are invalid" when I call CreateEnvelope(). I have verified the user name and password are correct. I use them to log into the production account. I am setting the username in the code like [APIKEY]APIUSERNAME.
Does a DocuSign account need to be authorized to use an integration? How do I know my integrators key was moved over to production after certification? Any ideas when this works in dev but not in production.
Just wanted to follow up and post the answer to this issue. After working with Partner support I was able to get things working.
The issue was related to using the wrong base url when I created my api proxy. I was just passing in the docusign production url, when I actually needed to get this in the configuration for each user that uses the integration. When I get the base url in the config part of the app it return the actual server which the users account resided on (which includes the na1 or na2 etc server name in the url). After adding this to the config and using this new base url in my calls the app works as it should.
Yes I believe DocuSign production accounts need to be authorized to use the API. If you are positive that you are passing the correct username and password in your code then it's quite possible that this is an account issue.
For resolution I would suggest the following. For questions regarding your integration key and if it was indeed promoted to production following your successful certification you should contact
apicertifications#docusign.com
And if you have an account manager you might want to try reaching out to them as well, which might get your questions answered sooner.