DocuSign Implementation with my application - web-services

I want to integrate DocuSign with my application. There is no recipient.
The user who is signing in my application should sign the document which is generated through my application. After signing the documents through DocuSign, the user should be returned back to my application.
I don't want any email authentication.
How can I do that?

Yes, no problem! Use the embedded signing option. See the recipe.
This enables your app to provide the following flow:
The user logs in to your app
Your app logs into DocuSign using an admin login for your DocuSign account. The login is done from your app to DocuSign. Your app's user does not login to DocuSign.
Create the pdf (or other file type)
Your app sends it to DocuSign using embedded signing. Your app receives back a specific url to enable the user to sign.
Re-direct user's browser to DocuSign by using the specific url.
User signs
User's browser is re-directed back to your app
Your app can download the signed document if you wish
Also: Mobile devices are fully supported, including signing via the touch screen. Do not use an iFrame if your users will use mobile devices.

Related

Need Help to do Login authentication oauth2.0 while load testing

I have a BlazeMeter Pro account and I am stuck on the step I try to record in Jmeter and also try with BlazeMeter recording but not able to do it.
Now flow is I have to login into the system and perform the operation, we implement oAuh2.0 from the development side to authenticate the user from the Gmail and we face issue while record script that user is not able to authenticate to login when you hit with single or multiple users.
to authenticate I need all the below parameters and I have all details but now in Jmeter or BlazeMeter, I do not understand where I add all details.
client_id=
client_secret=
refresh_token=
grant_type=refresh_token
we are implementing a following steps at record time
Load a respective URL and open Gmail Login page
After Enter email and password page is redirect and particular website will be display
After enter user name and password on the website UI is display.
Please guide me on how I implement this and process my flow for load testing.
As per Google documentation in OAuth 2.0 for Client-side Web Applications you need to
Send a request to https://accounts.google.com/o/oauth2/v2/auth with:
client_id
redirect_uri
response_type
scope
parameters.
This request you should be able to record using your favourite recording option.
In your case you need to change this redirect_uri to some web server which you control as you will receive the token there in form of https://your_redirect_url_here/callback#access_token=your_token_will_be_here&token_type=Bearer&expires_in=3600
It's a good idea to use HTTP Mirror Server for this purpose.
Once you get the token you will be able to add HTTP Header Manager and configure it to send Authorization header with the value of Bearer ${your_token}
More information:
OAuth 2.0 Documentation
OAuth 2.0 Playground (if your application uses different flow you can replicate it there and see relevant requests/responses which can be later on implemented in JMeter)

How to implement QR code cross login from mobile app as authentication method for website or webapp in a vendor agnostic way?

I am using Django 2.2 for my webapp.
And I have been looking for tutorials that cater for QR code cross login to webapp using mobile app.
Basically the workflow is like this:
expected workflow
User arrives at website on desktop
Given a choice of username/password or QR code login (We assume user is registered)
User chooses QR code to login
User is prompted to install mobile app (can be android or iOS)
User installs mobile app and logins using username/password.
On mobile app, user then agrees to future login using QR code as alternative (this is done once)
After this, in future logins, when User chooses QR code to login as per step 3. They use the mobile app to scan QR code generated on the website login page.
The mobile app then uses FaceID or FingerPrint ID (assuming iOS) to then allow login. The user presses a Yes button on the mobile app to confirm login.
Somehow the webapp is notified dynamically and allows login on the desktop browser.
I don't quite get how the mobile and the web app at the backend all work with one another to achieve this seamlessly.
What I did find
I did find this library https://github.com/aruseni/django-qrauth which seems no longer maintained. But I still cannot quite get how the flow works between mobile app and webapp backend.
I also found this https://medium.com/#ksarthak4ever/django-two-factor-authentication-2ece42748610 which seems to use the mobile phone as a 2FA device. Not exactly the use case I am looking for unless I misunderstood.
I did find this article https://backendless.com/how-to-implement-mobile-to-web-cross-login-using-a-qr-code/ which is what gave me the term "cross login". However, the article is tilted heavily towards this particular vendor.
I am looking for an "understanding" of the concept without being reliant on the specifics of the vendor implementation.
What I am not looking for
In case, my question is poorly phrased and gets misunderstood, I have included this section to make clear what I am not looking for.
I am not looking for the use case where the QR code serves as a 2FA confirmation for the authenticator app.
I am also not looking at code examples yet. I just want a clear understanding first of how things work between the mobile and web app. I believe JWT is needed though I am guessing.
A workflow is more appreciated than actual code because I want to gain an understanding first of how this works.
The key concept is that login occurs when a user and browser are matched. A user means a user(or a user device) already recognized(authenticated) by the server.
user's PC browser requests QR login to server (without any account information)
server makes login request key and send the key to the user's browser. the key is displayed as QR code. (the role of this key is to identify the browser)
user's already logged-in device(user) read the key(QR) and sends a login acceptance request to the server with the key.
At this point, the server knows who both the user and the browser are.
The server allows the browser to log in as the user.
The key to identify browser could be session or web socket channel or any other form of information.
The server must store the key until the login process is complete.
If a valid login acceptance request is received, the server should prompt the browser to log in.(server->client, push). there are several techniques for accomplishing this.(polling via AJAX, Web socket, push notification services, etc..)
I'll explain it with Django-channels web socket framework. (In this case login request key and channel name is same. but different key and channel name is also okay.)
browser: user chooses QR login. (without any account information)
Backend: web socket channel is made. name of the channel is securely randomly generated string(FOO). key(FOO) is stored in redis as Django-channels[redis] made a channel named that string(FOO). send the key(FOO) to user's browser.
browser: get the key(=channel name=FOO) and open the web socket channel(FOO). and also displays QR code(FOO).
user(smart phone): user launch smart phone app(already logged in). and scan the QR code(FOO). user smart phone app send a login acceptance request to the server with QR code's information(FOO)
Backend: server send securely generated login key(BAR) via web socket channel(FOO).
browser: get login key(BAR) via web socket channel(name is FOO) and redirect to login url with login key(BAR).
server: get the login key(BAR) and let the browser to log in as the user
login request key(FOO) could be a JWT(contains key, url, expire, etc..) or just secure string(varies depending on the scenario). it doesn't contains account information and server must store it.
login key(BAR) is usually a JWT. with JWT, it contains account information and server does not have to store the key.(stateless)
I think you wanna do something like WhatsApp’s web where the users log to the web app by QR code, if I was doing such implementation I’ll do it as follows.
When the user arrives to the login page, we create a logInSession with a random token and we save it to the database.
we send that random token to the browser, which will render QR code based on the random token. We start a pooling for ‘log_me_in’ view to check if the user scanned the barcode.
The user goes to the mobile app and select log-on browser activity which will launch the camera.
Once QR is read on the phone, make a request to the backend with the scanned token and update the logInSession with the username.
With the next call to ‘log_me_in’ view, log the user in based on the username and tell js to redirect to homepage.
Hope this is clear enough.

ADFS 4.0 Disable browser cookies

I am using ADFS 4.0 for authenticating into my mobile application using OpenId Connect / OAuth2 flow. Basically when I sign in to my application, my mobile appliaction opens a browser to start the flow. Whenever I sign out from the application, I need to fire the ADFS sign out page to clear the cookies and redirect back to the application.
The problem I have is that when I successfully authenticate through ADFS, I need to perform some user validation in my API for the user which sometimes can fail. If the validation fails, the session cookies stays in the mobile devices browser, so the user is not prompted for credentials anymore, so hes stuck in a loop where he cannot sign in to the application again. I really don't even need the session cookies stored into the mobile devices browser because I am using the access and refresh tokens to handle the flow after the authentication.
I have configurated my application as native application / Web API in ADFS. Is there any way I could disable the cookies to be saved in the mobile devices browser or is there any other approaches for this problem?
Are you using authorization code grant flow?
If yes, you can use prompt parameter in authorization request. As explaining in this document about prompt , with prompt=select_account, user will be forced to choose current signing account or choose to login in another account, or with prompt=login, user has to reauthentication...With those values of prompt, you will not be "stuck in a loop where he cannot sign in to the application again"

How to use Federation from a User Pool (not from an Identity Pool)!

I'm trying to use Federation from a User Pool. Note, I am not talking about Federated Identity Pool a different concept.
Is there a SignIn API for federated users or is just a hosted UI
Does the app "have to" open a browser on a Sign In URL that looks like https://XXXXXX.au=th.XXXXX.amazoncognito.com/login?response_type=code&client_id=XXXXXXXXX&redirect_uri=XXXXXXX? Can the end-user can stay inside the app, similar to how Google SignIn API on Android works (it pops up a small Google sign in UI, user clicks on their name, you're immediately back inside the app with a token.
How do I launch a browser on that Sign In URL?
How can my app be called back when the user has finished signing in?
Specifically how does my mobile app receive the token from the browser?
Is there a SignIn API for federated users or is just a hosted UI?
As far as I can tell you have to use the hosted UI when you federate a user pool to social IdPs.
How do I launch a browser on that Sign In URL?
This depends on the language and platform obviously, on Android with Xamarin you can use Xamarin.Auth.Presenters.OAuthLoginPresenter.Login() to launch a native browser Chrome at a URL specified by the OAuth2Authenticator you pass in. That OAuth2Authenticator does more than just craft the URL it gives Chrome, its stateful so when you get an answer back in the form of a code or token, you can then call methods on that object to proceed.
How can my app be called back when the user has finished signing in?
Specifically how can the browser redirecting a URL actually redirect you back inside the app. That's done via something called, Deep Links & App Links, here's that concept explained on Android.

Can I authenticate with OAuth in a Javascript app without saving a token on the client side with rauth?

I want to be able to authenticate users of an angular.js application using oauth, but I do not want to store any tokens on the frontend because I have seen that it can be fairly complicated to do so securely. Is there a way to pass some sort of credentials of a user to my django web application, where is can authenticate the user with some oauth provider and save that information in a session? To make it simple, here is the process I want
User is logged into some oauth provider, i.e. stackexchange
They click a "login with stackexchange" button on the front end angular app
Their login credentials are sent over to the django application through a restful api
The django app which receives these credentials attempts to get a token using rauth
If the server receives a token, the user is logged in and their information is saved in a session, otherwise they are given an error
Is this sort of process supported by OAuth2 providers?
Step 3 is incorrect: that authentication process is handled entirely off-site, on the OAuth provider's infrastructure, e.g. StackExchange.
This kind of flow is certainly possible. I would check out the Facebook example, which uses Flask, but provides a similar framework for how you might go about this in Django.