DocuSign - Getting a user ID for a user whose organization admins has pre-authorized the application

0
votes

Any route requires you to be authenticated as a DocuSign user to use it. With the standard service integration flow, you direct the user through docusign's /oauth/auth flow, use the returned code to get an access token via /oauth/token, then use that token on /oauth/userinfo to get the user's ID which you can then sign and use in a JWT.

Instead of directing users through the oauth UI to get their consent, DocuSign allows organization admins to pre-authorize an application for everyone in the application. No need to send organization members through the oauth flow. Great.

However, once this action has been taken, it's not clear how my application could make requests on behalf of any user, since the /oauth/userinfo route that gives you the user id requires an oauth code that you get by passing the user through DocuSign's oauth browser UI.

More specifically: if the admin of foo.com's DocuSign organization authorizes my app, and [email protected] starts using my application, how do I get [email protected]'s user ID to create a JWT with?

1
oauthdocusignapi
unrelated follow up question: is it safe to store this docusign user ID for reuse in future tokens or do I have to keep hitting /oauth/userinfo in case the user id changesjtmarmon

1 Answers

0
votes

When you say "[email protected] starts using my application" what, exactly, does that mean?

Case 1: Bob is interacting with your application. In that case, you should be using a User Application OAuth flow such as Authorization Code Grant to enable him to login.

If your app needs to later act on behalf of Bob when he's not around, then store Bob's user id for later use with the JWT grant.

Case 2: Your app is running in the background (no human interaction). At some point your app needs to starting doing things for Bob by impersonating him. All you have is his email address.

If this time arrives and your app has had no interaction with Bob, then yes, you need prior access as an admin (in Bob's account) so you can look up Bob's user_id from his email.

This second account would be the "admin user account" for your app. The account would need admin privileges to lookup the user's information. Your app would get access to this admin account when your app is installed.

Use the Users:list API call. Remember to encode the email address.

Example:

GET call: /v2/accounts/{accountId}/users?email=larry%2Buser%40foo.com

Re: user_id lifetime I'm reasonably sure that the user_id guid doesn't change for a given accounted user (someone who is a member of an account on DocuSign). I will check to make sure.