Skip to main content
arrow-left Back to Docusign.com
Question

Docusign OAuth Invalid Grant with unexpected_origin_included

  • September 13, 2024
  • 4 replies
  • 310 views
H
Newcomer
Forum|alt.badge.img+2

Morning,

 

in my team we are trying to implement an integration with DocuSign and according to the documentation, we need to setup an OAuth process. In order to do so, the steps we’ve followed are:

  • Create a developer account
  • Go to “Integrations” → “Apps and Keys” and create an app there with a secret key and also the redirect URIs and CORS configuration. As it is the first try, we used “http://localhost:3000” everywhere.
  • We followed this link from the documentation: https://developers.docusign.com/platform/auth/authcode/confidential-authcode-get-token/
  • We’ve implemented a redirection from our frontend to get an authCode as stated in the documentation by calling https://account-d.docusign.com/oauth/auth with response_type=code,scope=signature cors,client_id={OUR_CLIENT_ID} and redirect_uri=http://localhost:3000
  • Afterwards, we are doing a POST request through axios to https://account-d.docusign.com/oauth with the parameters stated in the documentation (a header with Authorization: Basic {COMBINED TOKENS} and a body with { grant_type: ‘authorization_code’ and code: the retrieved code }.
  • In this whole flow, we are getting the auth code, but when trying to exchange it for an access code inmediately after, we are getting an 400 BAD REQUEST with {"error":"invalid_grant","error_description":"unexpected_origin_included"}

Anyone has any tip on how to proceed? We didn’t find this error anywhere in the documentation and are a bit stuck with the topic.

4 replies

Renan.Araujo
Docusign Employee
Forum|alt.badge.img+2

Hey @Haufe Onboarding,

I noticed that you are trying to use Authorization Code Grant token type (response_type=code) for a CORS call . This is not possible. Per our documentation, you must to use Implicit Grant (response_type=token) instead if you want to make API calls from client side. 

I recommend you revoke the previous consent given for the integration key you are trying to work with and execute the consent request again with the correct response_type declared.

Keep in mind that when using Implicit Grant you don’t need to exchange the code returned for a token as the token is already returned through the callback URI and you just need to treat it on your end to collect the token and provide the logic on your end to grab a new token as soon as the previous generated expires.

Few resources to help you below:

 

😎

H
1 person likes this
  • H
    Haufe Onboarding
Hengfeng Ge
Rising Star
Forum|alt.badge.img+12
  • Hengfeng GeRising Star
  • Rising Star
  • 514 replies
  • September 15, 2024

so what's the type of your application? Web application? we mostly suggest use jwt for system integration.

FreeLink/甫连信息
🌍 DocuSign Partner | Partner Profile
🏆 2024 APAC Reseller Growth Partner of the Year
🔧 The first in APAC to pass the DocuSign eSignature Technical Consultant certification.
🚀 Expertise in DocuSign integrations with on-premises systems for leading enterprises across various industries.

Feel free to reach out for collaboration opportunities.

Welcome to the DocuSign Community! Your feedback is highly valued. If you find my response helpful, please give it a "Like" and consider marking it as the "Best Answer" to assist others with similar issues.
H
Newcomer
Forum|alt.badge.img+2

Okay, I guess I misunderstood the documentation @Renan Araujo many thanks. I’ll try your approach and reach back.

It it a web application @Hengfeng Ge 

Hengfeng Ge
Rising Star
Forum|alt.badge.img+12
  • Hengfeng GeRising Star
  • Rising Star
  • 514 replies
  • September 16, 2024

if your application is web applicaton and with backend, you can check generate token by JWT for one system user. and it need grant consent one time before get token.

https://developers.docusign.com/platform/auth/jwt/jwt-get-token/

 

for develper account, the consent ulr should like:

https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature impersonation&client_id=f8f502d1-cac9-328e-a0d5-9e2f2e413e8b&redirect_uri=https://localhost

 

FreeLink/甫连信息
🌍 DocuSign Partner | Partner Profile
🏆 2024 APAC Reseller Growth Partner of the Year
🔧 The first in APAC to pass the DocuSign eSignature Technical Consultant certification.
🚀 Expertise in DocuSign integrations with on-premises systems for leading enterprises across various industries.

Feel free to reach out for collaboration opportunities.

Welcome to the DocuSign Community! Your feedback is highly valued. If you find my response helpful, please give it a "Like" and consider marking it as the "Best Answer" to assist others with similar issues.

Reply


Most helpful members this week

Code of Conduct

Docusign Community

Code of Conduct