Skip to main content

I building the App that will connect vie OAuth
I need as least permissions as i need so i choose “openid” scope and login with specially created user with only 2 permissions
I want use scope “extended” to prolongate refresh token each time but for some reason when i try to use scope “openid extended” or “extended openid” - access token that i receive is not allowing me access anywhere where i can go with just “openid” scope. In all routes i receive 401 code

Is it something wrong with “extended” scope or with the way that i trying to use it?
Currently all actions was performed on Dev env. Maybe Dev env itself is limited somehow?

Hi,

Thank you for reaching out here in the DocuSign Community. 

I am very sorry for the inconvenience you are having, however, I would like to know how you are creating the consent URI using the scopes it requires, I just did the test and I have not had any problems, it is for this reason that I would like to know if the URI you are using is similar to this

 

https://account-d.docusign.com/oauth/auth?response_type=code&scope=extended openid&client_id={YOUR IK}&redirect_uri={YOUR REDIRECT}

Regards,

 

Eric | Docusign


Hi, Eric
Thanks for quick response!

here is how i use URL
https://account-d.docusign.com/oauth/auth?client_id={client_id}&redirect_uri={redirect_uri)&state={state}&response_type=code&scope=extended%20openid

I also have succesful response from POST https://account-d.docusign.com/oauth/token just as you on screenshot with access_token, token_type, refresh_token, expires_in, id_token, and scope

The problem is that using ‘access_token’ i get 401 on all routes that i can use without ‘extended’

So my user for example have permissions to view Users/Roles/Groups/Permissions and Manage envelopes
With just ‘scope=openid’ i can freely get data from:
https://demo.docusign.net/restapi/v2.1/accounts/{account_id}/users

https://demo.docusign.net/restapi/v2.1/accounts/{account_id}/groups

https://demo.docusign.net/restapi/v2.1/accounts/{account_id}/permission_profiles

https://demo.docusign.net/restapi/v2.1/accounts/{account_id}/envelopes

 

But as soon as i add ‘extended’ to the scope and repeat OAuth process i receive 401 on all these routes


extended openid is available in : https://developers.docusign.com/platform/auth/reference/scopes/

Maybe have not grant for this integration key.


… I would like to know how you are creating the consent URI using the scopes it requires, I just did the test and I have not had any problems ...

 

 

https://account-d.docusign.com/oauth/auth?response_type=code&scope=extended openid&client_id={client_id}&redirect_uri={redirect_uri}I also get succesful result from POST request on https://account-d.docusign.com/oauth/token
The problem is that user that i use for OAuth have permissions to view users, groups, permission_profiles, envelopes
https://demo.docusign.net/restapi/v2.1/accounts/{account_id}/users
https://demo.docusign.net/restapi/v2.1/accounts/{account_id}/groups
https://demo.docusign.net/restapi/v2.1/accounts/{account_id}/permission_profiles
https://demo.docusign.net/restapi/v2.1/accounts/{account_id}/envelopes
And with just ‘openid’ i have access to all routes that i needBut using ‘openid’ with ‘extended’ i get access token that literally useless because on all same routes i getting code 401So for me it’s like adding ‘extended’ to scope just breaks something

please add the scope signature in the Authorization Code Grant url.


Hi, Hengfeng Ge
Adding ‘signature’ is working absolutely fine, but it’s providing too much permissions
We have task to develop an Integration that will request as less permissions as possible for it’s purpose
Due to absence of granular scopes in eSignature API - i choose to use specially created user with restricted permissions and grant access from this user using ‘openid

But i also require ‘extended’ option because in other case our clients will be forced to relogin each 30 days

If i understand correctly ‘extended openid signature’ is the same as ‘extended signature’ because the App will be granted access to all routes of the eSignature API 

But i need ‘extended openid’ if it’s possible


Reply