This is in regards to DocuSign.
We will be using JWT OAuth approach for authentication in our project,currently for the first time, User Consent is required to be provided before it generates the JWT token via code/API (see snapshot).
My question is can we bypass this first time user consent either in our code or some other technique so that the flow is smooth right from the first instance.
The link I referred is :https://developers.docusign.com/esign-rest-api/guides/authentication/obtaining-consent
enter image description here
Thanks in Advance.!
Atul
Yes, if you have Organization Administration enabled for your DocuSign account then you can proactively grant consent for some or all of the users in your account.
Talk with your DocuSign contact to try out Organization Administration.
Related
Currently doing a POC for one of our customer requirement. We will have a single admin user for the organization so JWT authentication suits our requirement. Since my developer account has not got admin feature enabled I cant grant administrative consent to my application, so we are blocked. Can you please give admin access to my account.
Just trying to follow through the steps in the video.
https://www.youtube.com/watch?v=WAejcu-O1oE
While Karan's recommendation to contact Support to have the Admin module enabled in your sandbox is accurate, I would also remind you that Individual Consent is available for all account plans to grant permission to use JWT Auth
I am an admin on Salesforce and on Docusign. The Salesforce connection on Docusign is actually setup with one of my colleagues username who is also an admin on Docusign. When i try to access Docusign Apps Launcher, i am seeing the following error message.
'You have not granted or have revoked your consent to be impersonated by Docusign Apps Launcher'
Can someone please list the resolution for this issue. As far as what i understand my colleague will have to grant consent from Docusign to be impersonated or even better changing the connection on my name as i plan to manage it on both Salesforce & Docusign.
Today I faced this same problem, I found that by calling the AuthService API you can generate an authorization URL and after granting access everything worked fine.
My steps:
open the developer console in Salesforce
Run this as anonymous code:
System.debug(dfsle.AuthService.getLoginUrl('/lightning/page/home'));
Open the raw log and follow the link
The link will display the authentication buttons and after the process, you can send envelopes as usual.
What you're describing sounds like consent for OAuth token generation, specifically JWT. When the Apps Launcher sends the requests under your username it supplied with payload that contains your Integration Key, userId, scopes and a few other pieces. When DS interprets this it checks to see if consent has been granted by your user for the scopes provided in said OAuth request. If it doesn't see consent, it returns this error message.
Basically we have three ways of fixing this pending on how your account is set up.
Individual consent where you can construct a URL containing the scopes, IK, and RedirectUris -- this allows you to log in and grant consent on an individual basis.
Domain Consent -- if you have an Organization established within our system and a claimed domain attached to it, you can supply consent for any Org users under that domain. So if I own gmail.com for example, I could supply consent for any user.
Org Consent -- this allows you to grant consent to an application across your entire organization.
If you're dealing with a single user it's most likely going to be easiest to go the individual route. An example structure for this would be:
SERVER/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=CLIENT_ID&redirect_uri=REDIRECTURI
Larry also put up a blog post last year that shows these three methods in-depth -- have a look and let me know if you have any questions: https://www.docusign.com/blog/developers/oauth-jwt-granting-consent
Regards,
Matt
I encountered this issue with a DocuSign Admin user and found out that Edge was blocking a popup. The user finally got the "Authorize" screen when they went to Chrome and allowed notifications.
Error are coming on live integration key of docusign
Error while requesting server, received a non successful HTTP code [400] with response Body: O:8:"stdClass":1:{s:5:"error";s:16:"consent_required";}
I was faced issue on demo docusign then i was enable SSO for my DocuSign organization on demo Docusign
Then solved this issue(Error) and working properly on demo docusign .
Because there was Docusign Admin to enable SSO.
But Docusign Admin not available on live docusign account.
How to solved this Error on live Docusign
Error s:5:"error";s:16:"consent_required";
I have done already contact with support team
In order to grant consent, you'll either need to do an Individual Consent workflow for each user, or contact the Sales team to purchase the Admin module.
A more in-depth look at the JWT Consent options is available on the DocuSign blog - https://www.docusign.com/blog/developers/oauth-jwt-granting-consent
The short answer is that Individual Consent is always available, but requires action by each individual user (Access the consent URL, authenticate, grant consent). Admin Consent is only available if you have the Admin module and a claimed domain, but allows an Organization Admin to grant consent on behalf of everyone under that claimed domain.
Is it perhaps because the DocuSign user you use to log into the live system is not (yet) an administrator.
I've developed an invokable Apex method that leverages the DocuSign Apex Toolkit for preparing and sending an envelope via a Salesforce flow.
The only issue I'm having is when it is invoked by a Salesforce user, that has been added as a DocuSign user, but has not yet gone through the OAuth flow to connect Salesforce to DocuSign for their user account.
A workaround is that I have that new user click a standard "Send with DocuSign" button an any record, which then shows the "Before you can use DocuSign, you must grant consent for this application to make requests on your behalf." message and a button to start and complete the OAuth flow. Once this is done I can go back to my flow and it will successfully complete as that user.
Any ideas how I can "pre-authorize" users, or check for authorization as part of the flow (is this data stored in Salesforce), or at least find a way to get to this "Authorize" screen in Salesforce without needing to begin the process of sending an envelope?
Thanks
Matt
Yes, the administrator for the account can grant "blanket" consent, known as administrative consent, for the relevant integration key (client id) and scope(s) needed by your application.
To do so:
The account needs the Admin feature Access Management with SSO You can have this feature enabled for your developer sandbox account by email request to go-live#docusign.com. Contact your DocuSign account manager for adding the feature to a production account.
You need to claim the email domain for your users.
Use the Admin tool's Connected Apps tile to grant administrative consent to your users in the claimed to domain to the application.
The above assumes that you are supplying the integration key to your Apex application.
If you're using an integration key supplied by DocuSign, then you also need to use the Admin consent for external applications API.
If you're using an integration key supplied by DocuSign as part of a DocuSign for Salesforce product, then I would first ensure that the product is enabled for everyone in your account; that may take care of your app's consent issue.
Re: detecting if consent is required
DocuSign responds with a specific consent_required error if consent is needed. So check the error response of your call. See APIError
I'm developing an integration that needs admin consent, without the interaction of a user. I see that in order to give consent to an application I need to do that from the organization dashboard.
The problem is that the demo account doesn't have organization features nor the organization dashboard.
When using JWT Token auth with DocuSign you need to grant consent one-time as you have mentioned, there are two ways to accomplish this:
Using Organizations Interface (which is an Enterprise level feature).
Initiate the request through the API
When going through API the user still needs to interactively grant consent through a browser however the request is initiated through DocuSign's Authentication Service.
See here for steps to take to grant consent through the API:
https://docs.docusign.com/esign/guide/authentication/oa2_jwt.html#granting-consent
In terms of the User Consent vs. Admin consent part of your question, they are actually the same thing the only difference is that the admin consent is done through the admin console and can apply to all users, the user consent is on a per user basis.
If you don't want the individual users to grant consent then you must use the organization admin panel to give consent.
To have organization administration added to your demo/developer sandbox account, please ask your DocuSign sales or technical contact to have it added.