DocuSign JWT Grant flow Consent_Required for blanket consent

1
votes

We have implemented JWT grant flow and provided blanket consent for integration key but when impersonating registered and active user under this account getting consent required error.

  • We have SSO enabled
  • All users are with same domain
  • Blanket consent provided with impersonation signature scope

Here how I am trying to get access token using DocuSign's C# SDK for impersonated user:

string BaseUrl = "https://demo.docusign.net/restapi";
string oAuthBasePath = "account-d.docusign.com";
var apiClient = new DocuSign.eSign.Client.ApiClient(BaseUrl, oAuthBasePath, null);

    //Get access token using admin account
    OAuth.OAuthToken tokenInfo = apiClient.RequestJWTUserToken(Integration_Client_Key, UserId, oAuthBasePath, Encoding.UTF8.GetBytes(RSAPrivateKey), 1, Scopes);
    OAuth.UserInfo userInfo = apiClient.GetUserInfo(tokenInfo.access_token);
    var account = userInfo.Accounts.FirstOrDefault(a => a.AccountId == AccountId);
    apiClient = new ApiClient(BaseUrl, oAuthBasePath, null);
    
    //Get user's UserId(GUID) to impersonate
    var impersonateUserId = await SignatureHandlerEmailId(signatureHandlerEmailId, tokenInfo.access_token);
    
    //Get access token using impersonate userId
    tokenInfo = apiClient.RequestJWTUserToken(Integration_Client_Key, impersonateUserId, oAuthBasePath, Encoding.UTF8.GetBytes(RSAPrivateKey), 1, Scopes);
    userInfo = apiClient.GetUserInfo(tokenInfo.access_token); //-- Here exception getting thrown for consent

Is there any wrong url I am passing or anything additional configuration need to do before sending request?

2
docusignapi
WELCOME to StackOverflow!! Please check (accept) the best answer for each of your questions. Thank you, it make a BIG difference!! - Larry K

2 Answers

1
votes

You have SSO and a claimed domain for demo.docusign.net?

You're using the demo IdP (account-d.docusign.com). It is a completely different IdP than the production IdP, account.docusign.com.

Since you're using account-d.docusign.com, you need to claim the email domain for it using the demo.docusign.net org admin tool.

Added: checking your claimed email domains

This info is available via the Domains section of the DocuSign organization administration tool.

See the docs.

Added some more

You can also programmatically get a list of the organization's claimed domains via the Org Admin API method ReservedDomains:getReservedDomains

1
votes

Another condition will be to claim a domain.
You can refer to this how-to guide
Also this blog post has a great info