I am working on SalesForce-DocuSign Integration (eSignature Process). I have successfully connected to Docusign demo environment and tested the APIs & functionality is working as expected.
In my code username, password and Integrator key are hardcoded .
// Enter your DocuSign credentials:
String UserName = "abc#xxx.com";
String Password = "abc";
String IntegratorKey = "****************************";
Soon,the code will be moved to production org. When end users started using esignature process, same credentials (Username and password. Example above username and password) can be passed to connect to DocuSign API everytime or the user specific credentials should be passed to connect to Docusign APIs? What is the the best approach for this ? Any ideas.
Thanks.
It sounds like you want to create and send envelopes on behalf of other users. You will use a generic api account user which will authenticate with the API but you can use SOBO to send the envelope on behalf of another docusign sender that is part of the same account.
For Authorization Grant:
https://www.docusign.com/developer-center/explore/features/sobo
Easier way using the Authentication Header: https://docs.docusign.com/esign/guide/authentication/sobo.html
Related
I have a Web API that used basic authorization to access the Web API from front end. So we used to pass Authorization header from Frontend Application that contains user login and password in encrypted form and sent to WEB API, where we read authorization header and fetch user login details(UserName, Password) and validate user credentials from Active directory.
Now we are implementing Azure AD integration and we are not able to send user password in Authorization header. So API fails to validate user credentials and it break the flow. Also I am getting httpcontext.current.user as null.see below code
public class UserdataController : ApiController
{
private readonly KMMContext db = new KMMContext(HttpContext.Current?.User?.Identity?.Name ?? "");
You'll need to use MSAL.
A good starting point is here https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-overview
Some examples can also be found here. This one is for a javascript/nodejs client since it was not mentioned which frontend framework was used.
https://github.com/Azure-Samples/active-directory-javascript-nodejs-webapi-v2
Basically your WebAPI will now be receiving a JWT token instead of the user credentials.
I am trying to send email using UserNamepassword provider with delegated permission but getting error as below
AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'. Trace ID: 66ecbe3d-56d1-4850-8310-dd33cb8d3900 Correlation ID: b2f61146-44d3-4997-ab99-5370bbac6b04
When I tried with Application permission with send.mail, I am able to send email as any user.
but as per the company restrictions i need to send email using delegated permission.
How to achieve this as error is with respect to Multi factor authentication as MFA has been enabled on our account.
IPublicClientApplication publicclientapplication = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantId)
.Build();
UsernamePasswordProvider authprovider = new UsernamePasswordProvider(publicclientapplication, scopes);
await graphServiceClient.Me
.SendMail(email, false)
.Request().WithUsernamePassword("Username", passwordstring(stringpassword))
.PostAsync();
Please help here with options.
If the user has multi-factor authentication (MFA) enabled, then you can’t use username/password to obtain tokens, because ROPC flow does not support MFA, according to the documentation:
If users need to use multi-factor authentication (MFA) to log in to
the application, they will be blocked instead.
The easiest way is to use the auth code flow, which supports users with MFA enabled to log in to the application. When using this flow, you need to log in to the user to obtain the authorization code, and then use the authorization code to redeem the access token.
I created a desktop application that talks to Graph API (Beta).
In the development version, I deployed it on the application I created myself on Azure AD. As one of the requirements is not to show login dialog when using the application, I decided to go with UsernamePasswordProvider, which I provide the user name and password of my account and everything works fine (I didn't put client secret in my application).
When I'm about to deploy it on customer's network, I asked the admin and he provides me the service user name, password, tenant ID, client ID, and a client secret.
I tried using Postman to check if I can get an access token from those info and I can only if I provide the client secret along with user name and password.
When I'm back to the code, UsernamePasswordProvider's constructor accepts IPublicClientApplication which has no option to create the application with client secret.
I understand that there is a reason behind as the secret can be easily stolen if the application got decompiled but, if I'm (in fact, my client) not serious about this, is there any way to initialize the GraphClient by putting user name, password, and client secret together for authentication?
Important, the Username / Password flow is not recommended because your application asking a user for their password is not secure. For more information about this problem, see this article.
If you still would like to use it, you could put username and password of that user in Key Vault and fetch those in your code.
string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
var kvUri = "https://" + keyVaultName + ".vault.azure.net";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
var secret = client.GetSecret(secretName); // get username or password here
I recommend you to use ClientCredentialsProvider, it enables service applications to run without user interaction.
I have a angular application and identity server 4 application. I have a login page in angular app which have only user name and when user enters his username , i want to send this username to IDs 4 and based on his username i will ask him to login either using password or redirect to AZure AD (i have saved these settings in DB which mode he needs to login).
From angular we are only able to call this method this.oidcSecurityService.authorize();
Can anyone suggest the way to send the username to IS4 from angular application using the angular-auth-oidc-client library.
OpenID Connect authorization requests can include the username in the login_hint parameter. IdentityServer will then make that available to you via the IIdentityServerInteractionService.
Your client library should allow you to set this query string parameter for authorization requests.
I'm trying to connect to exchange online and do certain operations with the emails using Microsoft Graph API 1.0 and this is all done in a demon program. I'm using Client Credential workflow for authentication, below is the small piece of code
AuthenticationContext authenticationContext = new AuthenticationContext(string.Format(CultureInfo.InvariantCulture, azureEndPoint, tenant));
ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(resource, clientCredential);
But for this code to return the authentication token I have to get Application Permissions to the azure app id against microsoft graph api. The caveat here is if the permission is granted, the application id will have access to read emails of all users in the organisation and due to this reason tenant admin has strictly refused to grant the permission.
I tried my luck with consent framework but that requires user intervention to enter his/her id and password which is not possible in case of a demon program. I read few blogs like below but they all end up entering the user id password to get to the redirect url which defeats the whole demon thing https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/
Is there any way I can give read/write access to azure application id for specific email ids in the tenant? Or alternatively any smart way to somehow get to the mailbox without user intervention?
Thanks in advance,
Vivek
You can only use app permissions with client credential grant flow.
To access only specific users' emails, you'd have to do a different approach.
This does require each user to consent individually.
Have the users login to your app, require consent for access to their email.
Upon returning to your app, acquire a refresh token and store it securely.
A refresh token is user-specific.
Then in your daemon service you acquire an access token for each user using their refresh token.
If the acquire fails because the refresh token has been invalidated,
the user will need to be notified to login again.
This is now resolved as microsoft has introduced a new concept of limiting application permissions to specific mailboxes or set of mailboxes using Group Policies. Check here https://learn.microsoft.com/en-us/auth-limit-mailbox-access