You have not granted or have revoked your consent to be impersonated by DocuSign Apps Launcher

Question

I am an admin on Salesforce and on Docusign. The Salesforce connection on Docusign is actually setup with one of my colleagues username who is also an admin on Docusign. When i try to access Docusign Apps Launcher, i am seeing the following error message.

'You have not granted or have revoked your consent to be impersonated by Docusign Apps Launcher'

Can someone please list the resolution for this issue. As far as what i understand my colleague will have to grant consent from Docusign to be impersonated or even better changing the connection on my name as i plan to manage it on both Salesforce & Docusign.

Answer 1

By calling the AuthService API you can generate an authorization URL and after granting access everything worked fine.

My steps:

1. open the developer console in Salesforce

2. Run this as anonymous code:

   Url loginUrl = dfsle.AuthService.getLoginUrl('/lightning/page/home');
   System.debug(loginUrl.toExternalForm());
   

3. Open the log in dev console and tick the Debug Only checkbox. This will show you the URL.

4. Copy and paste the URL into your browser

If not already signed in to DS, you will be prompted by DS for authentication. Finally you'll be prompted to consent having DocuSign App Launcher (DAL) act on your behalf.

When you're redirected back to Salesforce, if you see 'Invalid State' error from DAL in Salesforce, ignore it. Refresh/reload the page of the DAL app in SF - if you're on the default DocuSign setup tab, you should see setup options such as eSignature and User Management. (More options might appear if you have other DS services provisioned).

Answer 2

I encountered this issue with a DocuSign Admin user and found out that Edge was blocking a popup. The user finally got the "Authorize" screen when they went to Chrome and allowed notifications.

Answer 3

What you're describing sounds like consent for OAuth token generation, specifically JWT. When the Apps Launcher sends the requests under your username it supplied with payload that contains your Integration Key, userId, scopes and a few other pieces. When DS interprets this it checks to see if consent has been granted by your user for the scopes provided in said OAuth request. If it doesn't see consent, it returns this error message.

Basically we have three ways of fixing this pending on how your account is set up.

1. Individual consent where you can construct a URL containing the scopes, IK, and RedirectUris -- this allows you to log in and grant consent on an individual basis.

2. Domain Consent -- if you have an Organization established within our system and a claimed domain attached to it, you can supply consent for any Org users under that domain. So if I own gmail.com for example, I could supply consent for any user.

3. Org Consent -- this allows you to grant consent to an application across your entire organization.

If you're dealing with a single user it's most likely going to be easiest to go the individual route. An example structure for this would be: SERVER/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=CLIENT_ID&redirect_uri=REDIRECTURI

Larry also put up a blog post last year that shows these three methods in-depth -- have a look and let me know if you have any questions: https://www.docusign.com/blog/developers/oauth-jwt-granting-consent

Regards,

Matt