Our application offers Docusign integration.
Therefore, we allow our users to Login to Docusign.
Everything is fine when the user is already a Docusign user and logs in:
User taps on Login to Docusign
A browser is opened and redirected to Docusign login dialog where he enters his email address
He enters the email address
He enters his password
He is redirected to callback_url
However, when the user needs to register to Docusign, the process becomes like this:
User taps on Login to Docusign
A browser is opened and redirected to Docusign login dialog where he enters his email address
Since he doesnt have an email registered with docusign, he taps on "Register" link
An activation email is sent to his email address.
user clicks on the activation link in the email
User is redirected to his Docusign dashboard
The problem with this registration flow is that on step 6, the user is not being redirected to callback_url.
Therefore, the loop with our application is now broken and user is confused.
Shouldn't Docusign redirect users back to callback_url when activation is completed?
If your application's User Experience (UX) explicitly enables the user to either create an account on DocuSign or to sign in, then you can remove the "Create an account" option from the OAuth window:
In your initial GET to the DocuSign authentication server, include query parameter of
ui_flavors=no_sign_up
This should prevent the "Sign Up" links / options from being shown.
This is not the optimal answer for the question, but it is available now.
Related
I am using the Docusign Apex Toolkit in Salesforce to send emails as outlined here:
https://developers.docusign.com/salesforce/code-examples/salesforce-sending-signing-template
The email is sent when a case field is updated to a specific value via a trigger.
This works perfectly if I am a signed in user. However, if the user doing this is a guest then the following error is thrown:
You must have DocuSign sender permissions to perform this operation
Class.dfsle.Permissions.verifyIsDocuSignSender: line 300, column 1↵Class.dfsle.Permissions.verifyIsDocuSignSender: line 295
As this is the guest user I am unable to assign the permission sets to them as there is no user.
I have given permissions to all dosusign objects and fields to the guest user profile.
How can I allow emails to be sent automatically via apex in a trigger for guest users?
DocuSign envelope can be created only by users who have DS Account and have atleast a Sender permission. It is like GMAIL, you will be able to send an email from GMAIL domain if you are a GMAIL user.
So in case of the Guest user, they will come to your App but your App should make DS API call to DocuSign with any System user credentials (like apiuser#system.com) who is a user in your DS Account. Auth Type Doc explains this type of flow.
I created an email invitation using Microsoft Graph to a azure ad application. IN the email that was being received on clicking the Get Started (Elements of Email Invite)element it is being redirected to the signin page not the sign up page of the application that i want to redirect to.
How can I disable that element or override the Redeem url?
I suppose you are using Create invitation from Microsoft Graph? If so, you could specify the inviteRedirectUrl in the request body to customize where you want your users to land after redemption.
POST https://graph.microsoft.com/v1.0/invitations
Content-type: application/json
Content-length: 551
{
"invitedUserEmailAddress": "yyy#test.com",
"inviteRedirectUrl": "https://myapp.com/xxxxxx"
}
For more details, see Azure Active Directory B2B collaboration API and customization.
IN the email that was being received on clicking the Get Started
(Elements of Email Invite)element it is being redirected to the signin
page not the sign up page of the application that i want to redirect
to.
In the invitation, it uses the invitation manager to create an invite, in order to add an external user to the organization. After making the invitation, the invited user doesn't need to sign up and already be a member/guest user in the azure ad.
For the details, you could read here.
I have an envelope I've created through the API and I set the status of it to sent during creation time so it was never sent to the customer. Then using receipientViewRequest I grabbed the link for it and sent that to the customer in an email so they can sign it. However, the link only works once. After the first click/visit, the link expires. Is there anyway to get a link to the envelope that doesn't expire?
The signing flow which you are using is called as Embedded Signing. In embedded Signing, you need to invite or ask your signer to visit your App, and when signer is ready to sign the document then at that time you should generate the signing URL (on-demand) and ask user to complete the signing. This link is one time use and by default, it expires in 300 seconds if not used. If you want DocuSign to send an email to the signer with your App URL so that signer is redirected to your App when he/she clicks the email link, then you can put your App URL in the embeddedRecipientStartURL property of the signer in the API call. By adding this property DocuSign will send an email to DocuSign and on click on Review Documents button, browser will be redirected to your App, once it reaches your App then you can generate embedded Signing URL so that you can host the Signing ceremony.
You should never send this embedded Signing URL link in an email or via any medium. If you want DocuSign to send an email to the signer so that signer can sign the document at any time then you should do Remote Signing, this can be achieved by removing the clientUserId for the recipient in your API call.
I'm using the REST Docusign API v2 and I have some problems (seems a Docusign bug, but I'm unsure).
I have a website that has a button to view a Docusign document previously sent by us, this button creates an URL and performs the "Post Sender View" resource call, which states:
Post Sender View
This provides a URL to start the sending view of the DocuSign UI. This is a one-time use login token that allows the user to be placed into the DocuSign sending view.
Upon sending completion, the user is returned to the return URL provided by the API application.
The idea of this process is to show the Docusign GUI to view to document and perform some basic operations.
This is done correctly, but the problem I have, in such Docusign view there is a button, it says "Other actions" and after clicking on it, the option "Clone" is presented.
When clicking on "Clone", the session is expired, so the user is unable to perform any action. The message is:
Session Ended
Your session has expired due to an extended period of inactivity. To restart the DocuSign session click the link in the email that initiated the session.
For help: support#docusign.com
So, the point here would be: is there some fix for this? I'm doing something wrong?
I know the documentation says "This is a one-time use login token that allows the user to be placed into the DocuSign sending view"; but, if you decode to click the "Close" button, the session remains open and the user is able to work as usual.
Many thanks in advance.
I have a question about security flow of confirmation link.
I have a website on which you have to fill your email address and password after filing these information my app sends an email with a secure link to user email address. After clicking on confirmation email user automatically gets logged inside the application.
Now question :
Is there a security risk to auto login user on clicking of confirmation link ?
Is there and security risk to auto login user on clicking of confirmation link? Yes and no. It depends on what is in the link. What I would do is I would have two field in database activate_code, that is randomly generated and is_activated which is defaulted to 0. Then I will send a link to activation code and another email with activation link. Once at activation link, user will fill code and account will be activated. redirect him to login page.
Do not send user emails or any other information. just send random codes or something similar
That is my cent!
Yes there is a security concern, as Gumbo points out.
Since the user has provided an email & password, why not require he be logged in to access his confirmation page?