I am working on migrating Docusign basic Authentication to OAuth2.0. I followed the article How to get access token with JWT grant authentication.
However, I am confused when trying to get the eSignature working.
Our current flow is:
We don't use a phyiscal document file, instead we use a template (templateId) that we uploaded to docusign ahead of time. Then when we make an API call, docusign returns an external url that we use to direct the user to sign the form. After the user signs the form, Docusign uses the return url that we provided to direct the user back to our application.
Any ideas which method that I should use to achieve it? With Docusign Oauth2.0 migration, we only need to update the authentication piece, we do not need to make different API calls. In other words, We can continue to use restapi/v2 with OAuth2.0 authentication, everything else will work as before. right?
However, I noticed that the legacy login URL still requires api_password
https://www.docusign.net/restapi/v2/login_information?include_account_id_guid=true&api_password=true&login_settings=all
If we do have to call restapi/v2.1 Docusign REST API along with OAuth2.0, in this article How to request a signature using a composite template. At the end, the article shows that its expected response URL.
"url": "https://demo.docusign.net/Signing/MTRedeem/v1/09f2e35e-xxxx-xxxx-xxxx-1fbc6fcf77ed?slt=eyJ0eX...i3x-4g"
Any inputs would be really appreciated! Thank you!
You can still use the same URL from the eSignature REST API v2.0 to make all API calls to DocuSign, except the login_information call in your post.
The rest of your scenario - using a template, redirecting the user etc. - can be done just the same with your access token obtained using OAuth 2.0
To get the user's information with OAuth you use the getUserInfo() call and you can read all about it on the developer center.
(the URL is https://account.docusign.com/oauth/userinfo)
Related
I have really hard time trying to understand mostly how should I implement my authorization flow. I think I have the authentication flow mostly correctly implemented using the technologies I've listed in the title. Here's what I want to achieve:
Basically I have a mobile app built using React-Native and I have made a restful API for this mobile app to use. I am currently at the point that I have implemented authentication using ADFS 4.0. My mobile app directly uses the ADFS endpoints to authenticate the user and I am able to receive the id_token and access token correctly from there. But here comes the part that I have no clue what to do next. Before I used openID, I had my own authentication and just an OAuth2 flow in my Spring REST Api and everytime I made a request from the mobile app to the API, I provided the access token in the headers, and used it to verify from the authorization server that the user is indeed authenticated and also received some crucial information about the user to use in my API. But now since I use OpenID-Connect and ADFS 4.0 for the authentication, I have the cruicial information I need in my API in the id_token. The question is, what exactly should i send to my API now from the mobile app, the id_token, access token or both? Given the access token to the userinfo endpoint at the ADFS returns the subject of the owner of the token. Like is there any way I could receive the users info using the subject or what exactly should I do. I've tried to research this subject a lot, but I am still very confused..
Send the access token to the API in the Bearer header. In the API, validate the token and, if required, do user info lookup. A Spring example of mine here if it helps.
Happy to answer any follow on questions ..
I'm new to Auth0 and having real trouble wrapping my head round it. My app is going to be built using React, packaged using Phonegap.
Am I able to use Auth0 with a completely custom UI for creating accounts, logging in etc.?
Ideally my signup flow would be...
User Signs up using my react form
Details are sent to my API and then passed to Auth0
Success message is received from Auth0 and the user is mirrored in my local DB
My ideal login flow would be...
User fills in email/password on my custom form.
Details sent either directly to Auth0 or via my API
Token is sent back and stored in localStorage
Then each request to my API...
React attaches token to every request in header (actually Axios interceptor does)
My API is able to verify that the token is valid and not expired
API performs request.
Not sure how to deal with social logins, claims etc. but that's for another day, basically I want to do everything through the API and not use their lock screen etc. Is this possible?
Yes! That is definitely possible and to achieve this you would want to use 'Resource Owner Password' grant type.
Once you collect the credentials from user in your custom form, you can directly pass those to Auth0 by calling an endpoint - 'https://yourapplication.auth0.com/oauth/token' with all the necessary parameters. You can make a simple POST request to this endpoint from you client application. For ease of use, there is a javascript library provided by Auth0 for all of their endpoints- (https://auth0.com/docs/libraries/auth0js/v9).
Auth0 will return a token which can be used to call your server side APIs by passing it to the request header.
So to conclude, you can do it through API without using their lock screen.
Let me know if you need any further help. We can discuss on social logins and claims also.
We are using VB.NET and developing one Windows Form based application. Where we need to send email using gmail.
Appropriate scope has been approved by Google: scope=https://www.googleapis.com/auth/gmail.send
Using below URL via browser, we are able to retrieve code.
https://accounts.google.com/o/oauth2/v2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.send&access_type=offline&include_granted_scopes=true&state=state_parameter_passthrough_value&redirect_uri=**********&response_type=code&client_id=******************
At this point, we have client id, client secret, and code.
But we are unable to send email.
Can someone please share any sample POST request or sample code?
Lanugage used: VB.NET and first URL was called using webbrowser object.
You are using OAuth2 Authorization Code Grant flow. This flows returns you just a code that you need to exchange for an access token and a refresh token using the /token endpoint. The code is just a random identifier and cannot be used for anything else. Without an access token, you cannot access protected resources (GMail). The /token endpoint requires authentication, so you will need your client ID and secret when calling it.
The workflow, request parameters, responses and examples are covered in the OAuth2 RFC.
I'm trying to figure out how to use Auth0 with an Angular/Rails application.
I've set up Auth0 with an Angular-only application and it worked fine. I can see the Auth0 docs for Rails and as far as I can tell it makes sense.
What I don't understand is how to connect the front-end authentication with Rails, since I'm not finding documentation on this anywhere.
Okay, I've figured it out. If I use Auth0 to authenticate on the Angular side and then make an HTTP request to my Rails server, that HTTP request will have an Authorization header with a value like this:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2JlbmZyYW5rbGlubGFicy5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NTgzMDZmOTFjMDg4MTRlMDEwMTVmNDM0IiwiYXVkIjoiajNKdHpjYnNpTUkyR0JkRnZGb3FFTjM4cUtTVmI2Q0UiLCJleHAiOjE0Nzk4OTc3OTYsImlhdCI6MTQ3OTg2MTc5Nn0.2cGLY_e7jY0WL-ue4NeT39W4pdxJVSeOT5ZGd_xNmJk
The part after "Bearer", the part starting with "eyJ0", is a JSON Web Token. Henceforth I'll refer to the JSON Web Token simply as the "token".
When Rails receives the HTTP request, it can grab and then decode the token. In my case I'm using Knock.
Knock expects my User model to define a from_token_payload method. Here's what mine looks like:
class User < ApplicationRecord
def self.from_token_payload(payload)
User.find_by(auth0_id_string: payload['sub'])
end
end
My user table has an auth0_id_string column. If I manually create a user whose auth0_id_string matches what I find under sub in the decoded Auth0 token, then my from_token_payload method will find that user and Knock will give me a thumbs up for that token. If no user is found, thumbs down.
So it goes like this, roughly:
Angular asks Auth0 to authenticate a user
Auth0 sends back a JSON Web Token
Angular sends that JSON Web Token to Rails
Rails decodes that token
Rails tries to find a user that matches the data in that token
Rails sends back either a 200 or 401 depending on whether a matching user was found
There are some pieces missing but that's the gist of it. I'll probably end up writing a tutorial on Angular + Rails + Auth0 authentication since, as far as I've been able to tell, none currently exists.
Based on the information you provided I'm assuming that you want to have an application that has the front-end implemented in Angular and uses a Rails based API to provides the services required to the Angular front-end.
In this scenario you can model this as a single (client) application from the Auth0 side of things and do one of the following:
Use the ID token resulting from the authentication for two purposes:
to provide information about the currently authenticated user to the Angular application so that it can meet any applicable user interface requirements
as a way to authenticate calls made by the Angular application to the Rails API, that is, the Rails API uses a token-based authentication system that accepts the ID tokens issued by Auth0.
Expose an endpoint on the Rails API that can be used by Angular to exchange the ID token received upon user authentication by any other credentials that can then be later used to access the API.
The first option is the easiest to implement, but you'll have to include the ID token in every request. The second one increases complexity on your side, but it may allow you more flexibility.
If this does not address all your concerns, can you please update the question with more details about the exact scenario you're trying to accomplish.
A final note, if your intentions are to provide an API that can be later consumed by a different range of applications then the most correct way to secure it would be by using a token-based system where the tokens would be issued by an authorization server compliant with OAuth2.
Having your own OAuth2 authorization server is significantly complex to maintain so Auth0 is in the process of enabling this as an additional service that can already be used in preview mode for accounts in the US region. This would basically allow to obtain as part of the authentication process an ID token used by the client application to know the currently authenticated user and also an access token that would allow to make call into the specified API.
I'm developing an iOS app that uses the Magento REST API, I'm following the documentation provided by Magento for the OAuth authentication (http://www.magentocommerce.com/api/rest/authentication/oauth_authentication.html)
I use the initiate endpoint to get the request token but then when I want to authorize this token I need to use the "authorize" endpoint and there I get redirected to a URL where I have to provide customer credentials to authorize the request token. This is not the behaviour that I was expecting since the user would be already logged in using the app's login (not implemented yet). Is there a way of making this "authorization" step transparent for the user? Like calling some service passing it the user's credentials provided in the login screen of my app?
If there is no way I'll use the Magento's SOAP API
I did that too really really painful Magento use OAuth1.x, basically you've got three options:
Do it yourself
Use some oAuth consumer lib, you can find them on github
Use MKNetworkKit with this add-on
I used the 3rd because oaf MKNetworkKit, and anyway there was still a lot of work to do, if you want to hide some passages injecting js.