DocuSign - Obtain UserID using admin consent response code?

Question

I'm trying to integrate DocuSign in our system. What I understood from the documentation is that we need to use JWT Authentication, because we ask organisation administrator for permission, and then, the users do not need to login when requesting a signature.

This is the url I use to obtain the admin consent:

https://account-d.docusign.com/oauth/auth?response_type=code&scope=openid&client_id=0d055e7d-xxxx-xxxx-xxxx-0718d22b58b1&admin_consent_scope=signature%20impersonation&state=esignature_docusign&redirect_uri=Callback_URL

The callback URL is called successfully with a code returned like this:

Callback_URL?state=esignature_docusign&code=ConsentResponseCode

However, there are two problems here:

1. The ConsentResponseCode is a valid code in JWT format, but the payload is empty and the header looks like this:

{
  "typ": "MT",
  "alg": "RS256",
  "kid": "68185ff1-xxxx-xxxx-xxxx-689812203317"
}

2. If I use that code to perform Authorization Grant login, it returns the error (even a few seconds after I receive the ConsentResponseCode):

{
    "error": "invalid_grant",
    "error_description": "expired_client_token"
}

which is blocking us from look up the user by email.

Questions are:

1. How can I obtain UserID to create JWT request?

2. Do I need to obtain consent separately and perform an Authorisation Grant for the organisation admin account?

Answer 1

The code that you receive back from the consent process is actually the code for the authorization code grant flow. You should simply throw away that code (ignore it completely).

Remember that obtaining consent is a one-time operation per user that you will be impersonating. The consent record is maintained by DocuSign, it is not a cookie or anything else ephemeral.

You'll only need to repeat the consent process if the user specifically withdraws the consent that they previously granted you.

Answer 2

1. The UserId is a GUID and you can find it in the admin section of DocuSign after you log into the app. The same place where you created an integration key, has both the AccountID and the UserId, two different GUIDs, and you need them both.
2. You only need consent from users which your app will be impersonating. Goes back to #1 userID you asked. If you chose a userID, that user must consent. If you have two users - user1 and user2 and you only ever user user1 ID in JWT, user2 does not need to consent. If you want to be able to use either - you will need both to consent. Organization level consent allows you to do that for all the users at once, but requires you to create an org and administer it.