I'm using the python SDK for Docusign API. I created an integration in the sandbox and successfully promoted the integrator key to a production account.
I retrieved the integrator key, API Acccount ID and API Username from Admin > API and Keys on Docusign.com for the production account. I successfully obtained consent and successfully get a token via configure_jwt_authorization_flow().
However, when I try to make an API call with the token I get: USER_DOES_NOT_BELONG_TO_SPECIFIED_ACCOUNT.
If I use /oauth/userinfo with my token, I get same Username and Account ID that I retrieved above from the Docusign web page.
I haven't posted any code because the code works with my Sandbox account. I just don't understand why the information from the API and Keys page on the website isn't working.
The crazy thing is that I'm logging in as the user in Docusign to obtain the account information. Why doesn't the API think the user is part of that account?
Any help will be much appreciated.
Thanks
Answering my own question in case it helps someone else...
I was using the wrong "Base URL" in production (i.e. https://www.docusign.net/restapi). You need to determine your custom endpoint based on your account. Like this:
curl -i -H "Accept: application/json" -H 'X-DocuSign-Authentication:{"Username": "yourownemail#xxx.com","Password": "yourOwnPassword", "IntegratorKey": "yourOwnIntegratorKey"}' -X GET https://www.docusign.net/restapi/v2/login_information
The result will be something like:
{ "loginAccounts": [ { "name": "John Dough", "accountId": "12345",
"baseUrl": "https://na2.docusign.net/restapi/v2/accounts/12345",
"isDefault": "true", "userName": "John Dough", "userId":
"02e6fc42-0c2e-4e8e-ade1-8ed6f140daee", "email": "john#example.com",
"siteDescription": "" } ] }
Use the returned value of baseUrl for your integration.(https://na2.docusign.net/restapi).
Related
I have setup oauth via azure, i have received an authorization_code which i have exchanged for an access_token. I am then attempting to use that access token to get userinfo data including the email as described in the docs (https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo). However in the response it does not return to me the email.
{
"sub": "<redacted>",
"name": "John Doe",
"family_name": "John",
"given_name": "Doe",
"picture": "https://graph.microsoft.com/v1.0/me/photo/$value"
}
The documentation suggests that in order for email to be returned in the response it requires the email scope. https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo#userinfo-response
However i believe i am already specifying that i want the email scope.
App Permissions
/oauth2/v2.0/token (the scope shows profile, openid, email and user.Read)
What am i missing?>
I tried to reproduce the same in my environment and got the below results:
I created one Azure AD application and added API permissions as below:
Now I generated the access token with same scope as you like below:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:app_id
grant_type:authorization_code
scope:https://graph.microsoft.com/User.Read
client_secret:secret
code:code
redirect_uri:redirect_uri
Response:
I used the above token to get user info data and got response without email like below:
GET https://graph.microsoft.com/oidc/userinfo
Response:
This is because the email field in user's profile is not set. So, I updated email field by editing user's properties.
Now I generated access token again and used it to get user info data and got response with email like below:
GET https://graph.microsoft.com/oidc/userinfo
Response:
I am working on creating a user in azure ad. For this, I am using microsoft graph API https://graph.microsoft.com/v1.0/users. Below is the json post I am using:
{
"accountEnabled": true,
"displayName": "test",
"mailNickname": "test",
"userPrincipalName": "test#mytennantname.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": false,
"password": "<password>"
}
}
Using above data, I am able to create user in azure ad. User is also able to sign in using test#mytennantname.onmicrosoft.com. I wanted to know if is there any way I can save the external email id of the user for ex test#gmail.com in azure, so that he can use test#gmail.com to sign in. Please help. Thanks
If the domain, e.g. gmail.com is not in your tenant's verified domains, you cannot "create" the user.
You will need to use the B2B invitation features to invite the user.
That's this API: https://learn.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=http.
So you will need to make a POST to /invitations with a request body like:
{
"invitedUserEmailAddress": "test#gmail.com",
"inviteRedirectUrl": "https://myapp.com"
}
Note these are the 2 mandatory properties, you can check what others are supported in the docs.
The redirect URI is where the user will be sent after they accept the invitation through the link they receive.
When you call this API, an email is sent to the user with a standard content.
To add users to our Azure Organization, we go to this page https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers and then create or invite a new user.
Is it possible to do it via a REST API? I looked into their REST API docs https://learn.microsoft.com/en-us/rest/api/apimanagement/ but I couldn't find this information anywhere.
You can do this using Azure Graph API. In this link you can find an example for creating a user using the Graph API and here is the quick start guide for this API.
Basically, it looks like follows:
POST https://graph.windows.net/myorganization/users?api-version
Authorization: Bearer {token}
Content-type: application/json
{
"accountEnabled": true,
"displayName": "Alex Wu",
"mailNickname": "AlexW",
"passwordProfile": {
"password": "Test1234",
"forceChangePasswordNextLogin": false
},
"userPrincipalName": "Alex#a830edad9050849NDA1.onmicrosoft.com"
}
You can find the Grprah API reference to create users here. The Graph API quick-start can help you with sample codes on how to do it.
You would need to make sure that you have user creation rights in azure AD where you are trying to create users. generally, our account must have user account administrator role or global admin role in the directory.
I'm setting up a document esigning process using Docusign. Since we have multiple associations, We have setup multiple accounts (around 20 APIAccountID under one organization (or you can say as one INTEGRATOR_KEY_ID)) one for each association. Can someone please let me know on how do we switch to different APIAccountID based on the request we get. Also, is it the right way to create a new DocuSignConnection every time when we get the request for different association ?
Your integration should use just one INTEGRATOR_KEY for the entire integration. When using one of the DocuSign OAuth flows such as JWT as you mention.
After the user grants access by providing their credentials and clicking Accept an access token will be sent back to your app (at the redirect URI you specify on your integrator key).
You then use that access token to call the User Info API which will return account ID for that given user.
User Info API
Request:
Authorization: Bearer eyJ0eX...MrhIddzBAQ
GET https://account-d.docusign.com/oauth/userinfo
Response:
{
"sub": "4799e5e9-1559-4915-9862-cf4713bbcacc",
"name": "Susan Smart",
"given_name": "Susan",
"family_name": "Smart",
"created": "2015-08-13T22:03:03.45",
"email": "susan.smart#example.com",
"accounts": [
{
"account_id": "a4ec37d6-04aa-4f37-86c2-143885c220e1",
"is_default": true,
"account_name": "Susan Smart",
"base_uri": "https://domain.example.com",
"organization": {
"organization_id": "9c5fb8e1-b0bf-4970-8e0e-054ff8a249bf",
"links": [
{
"rel": "self",
"href": "https://account.domain.example.com/organizations/9c5fb8e1-b0bf-4970-8e0e-054ff8a249bf"
}
]
}
}
]
}
You have one application which sends signing requests on behalf of multiple associations (organizations)?
As Ergin says, your application will have one integration key which will be used for all associations.
When a human logs into you app using OAuth Auth Code Grant, your app receives an access token. You can use that access token to look up the user's account and site (API URL).
Your application can make sending requests for any number of people and their associations. Each API request includes the user's individual access token, their account_id, and uses the site data to create the URL.
HTH.
I encountered a new issue today when I tried to send a request with my new production account and the integrator key, newly promoted to Live status.
The API login succeeded, and it returns my AccountID.
However, when I try to create an envelope with envelopesApi.CreateEnvelope API call, I received the following error.
I tested the code with my demo account and key, couple of days ago. It was working fine. I think it is related to the key, because the login request was succeed.
DocuSign.eSign.Client.ApiException: 'Error calling CreateEnvelope: {
"errorCode": "USER_AUTHENTICATION_FAILED",
"message": "One or both of Username and Password are invalid."
}
Please let me know if there is anything else I need to do.
Often when the USER_AUTHENTICATION_FAILED error is received and you are positive the correct user/pwd combo is being provided it's because of the wrong account endpoint being accessed.
You need to parse sub-domain of the baseUrl that is returned from the Login API (property is called base_uri if using OAuth2) and configure your api client with that sub-domain.
When testing in demo it's ok if you miss this step since all accounts are under the demo.docusign.net sub-domain, however in production there are multiple sub-domains (ie. www, na2, eu, etc) so you need to re-configure once right after authentication.
Example:
The response to the Authentication: login API looks like:
{
"loginAccounts": [
{
"accountId": "123456",
"baseUrl": "https://na2.docusign.net/restapi/v2/accounts/123456",
"email": "jdoe#example.com",
"isDefault": "true",
"name": "LoanCo",
"siteDescription": "",
"userId": "abcdff66-f92e-4e8e-ab81-8c46f140",
"userName": "John Doe"
}
]
}
Then instantiate a new API client using the sub-domain that was returned in the login response:
ApiClient apiClient = new ApiClient("https://na2.docusign.net");