DocuSign Service integration authentication with jwt

1
votes

I want to implement DocuSign Service integration authentication with jwt flow.

I’ve generated valid jwt (validated on jwt.io) and I can successfully obtain access token based on jwt according to https://docs.docusign.com/esign/guide/authentication/oa2_jwt.html#requesting-the-access-token

I found on this blog post: https://www.docusign.com/blog/dsdev-docusign-developers-look-inside-new-authentication-apis/ that sub claim should be omitted in case application represents user in the system (which I need):

sub: The user id of the principal you are requesting a token for. If omitted a token will be issued to represent the application itself instead of a user in the system. Required: No

But in next step "Obtaining the Base URI" that states:

The first thing you should do after getting your access token is to use the /oauth/userinfo endpoint to get user’s account and base URI information that you’ll use to access the DocuSign API.

GET /oauth/userinfo Authorization: Bearer eyJ0eX...AnHDQ0bbA

Fails with status code 401 Unauthorized with response body details:

{
    "error": "internal_server_error",
    "reference_id": "e051ca48-....f0f"
}

I also tried to call Login (from AuthenticationApi - DocuSign.NetCore 1.1.0 nuget package), with default authorization header containing an access token like this:

        Configuration.Default.DefaultHeader.Add("Authorization", string.Format("Bearer {0}", accessToken));
        AuthenticationApi authApi = new AuthenticationApi(Configuration.Default);            
        LoginInformation loginInfo = authApi.Login();

Code above works only if I use OAuth2 access token that I can obtain directly from api explorer: https://apiexplorer.docusign.com/#/esign/restapi?categories=Authentication&tags=Authentication&operations=login&mode=basic but when I use access token that I've obtained by following official documentation (described above) I get exception:

DocuSign.eSign.Client.ApiException: ‘Error calling Login: { “errorCode”: “USER_AUTHENTICATION_FAILED”, “message”: “One or both of Username and Password are invalid. Invalid access token”.

What seems to be that I'm missing?

2
c#authenticationasp.net-coredocusignapi
Please upvote all useful answers. Please "check" (accept) the most helpful answer. Thank you.Larry K

2 Answers

2
votes

As Amit says, you need to provide a userID (guid format). The fact that you're receiving the Consent Required is good news: you're almost there.

Your user can grant consent individually or you can grant blanket consent at the org level if you have org admin turned on.

See my video or blog post for how to individually grant consent.

1
votes

Ommitting sub is not yet implemented, it is a future state which is yet to be implemented. As of now, you always need to pass sub in the call, and you can get Accesstoken for a user only. That's a blog link with the big picture overview of what's coming with new OAUTH, but whats currently implemented is available at DS Docs