DocuSign - OAuth Authorization Code Grant - Multiple Users - Error while fetching Access and Refresh Token

1
votes

We are trying to integrate DocuSign with our product.

Our Scenario: Our organization has a (partner) account. We created an Integrator Key (ClientID) and Secret. We want our clients to use their own accounts (which are not child accounts (Admin - user relationship) to our partner account) for the creation of envelopes and generate signing URLs along with our integrator key and secret.

Steps followed:

  1. Created an account (Partner Account).
  2. Created Integrator Key and Secret.
  3. Our scenario is considered as User Application and using Authorization Code Grant Mechanism to get the auth code.
  4. Clients are redirected to DocuSign portal for getting authenticated. (using authorization code grant mechanism by passing our integrator key as a parameter)
  5. Client grant consent for our application to use their credentials for the creation of envelopes.
  6. Receive the auth code.
  7. Using clients authcode and Partner accounts Integrator Key & Secret, trying to fetch the refresh and access token. But DocuSign API (OAuth/token) is responding back with "Bad Request" (400) as response.
  8. In place of the client account, if we are using same partner account credentials, then API (OAuth/token) is responding back with correct refresh token and access token.

Question: Can an integrator key and secret of one account be used along with the auth code of another account (both accounts doesn't have any relationship(Admin-User)) for fetching the Access token & Refresh Token.

API's Used:

Get Auth Code - https://account-d.docusign.com/oauth/auth (Partner Account (Integrator Key & Secret) & Client user credentials in DocuSign Portal)

Get Access / Refresh Token - https://account-d.docusign.com/oauth/token (Auth Code from previous response & base64(Integrator Key:Secret))

Reason: we don't want to store user credentials or ask users to log in every time when they want to use their DocuSign account in our application. So we want to get consent from a user and store their refresh token with us. Use their refresh token and our integrator key from next time for calling DocuSign API's.

1
docusignapi

1 Answers

0
votes

Update

(I work at DocuSign.)

Via additional information supplied to DocuSign, we were able to find our internal logs for the OP's OAuth transaction that failed. We could see from the internal log that, indeed, the problem was that the Authorization Code had expired.

During an OAuth flow, as soon as an application receives an authorization code, it should immediately turn around and use it to get the Access and Refresh tokens, and related information. We will be updating our documentation to state this issue clearly.

Original answer

Everything you're doing sounds exactly right. Especially since the user is receiving the permission screen the first time after logging in to DocuSign via your application.

To answer your question directly: yes, a client id (Integration Key) can be used by an app for any DocuSign user on any DocuSign account.

One idea: is your application requesting the tokens immediately after receiving the authorization code? The authorization code itself times out after a couple of minutes.

You're saying that if User A logs in it works (User A belongs to the account that manages the Client ID), but if User B logs in it doesn't work? I haven't seen that issue before. I'd create a new demo developer sandbox with User C and have them try to login.

Is all of this on demo or production?