关于帐户中用户管理的REST API的说明 [英] Clarification on REST APIs around user management in an account
问题描述
我最近创建了一个docusign开发人员帐户和集成者密钥,并且正在使用docusign REST API,并且遇到了一些问题
I recently created a docusign developer account and integrator key and was playing with docusign REST APIs and had some questions
-
I可以使用以下REST调用来检索我帐户下的用户的完整列表。
https://demo.docusign.net/restapi/v2/accounts/<accountid>/users?additional_info=true
但是,如果我尝试检索特定用户(不是我在X-Docusign-authentication中传递的用户)标头,则会出现HTTP 400错误,并显示消息无效的UserId。请求uri与经过身份验证的用户不匹配
However if I try and retrieve a specific user (other than the one I am passing in my X-Docusign-authentication) header i get http 400 error with message that the "Invalid UserId. UserId specified in request uri does not match authenticated user"
https://demo.docusign.net/restapi/v2/accounts/<accountid>/ users / 0d51a699-b17a-48b7-95b6-1e9e9806deb6
在两种情况下,我都发送以下标头。
In both cases i am sending the following header.
X-DocuSign-Authentication:< DocuSignCredentials><用户名> {0}< / Username><密码> {1}< / Password>< IntegratorKey> {2}< / IntegratorKey>< / DocuSignCredentials>
我惊讶的是,尽管我可以很好地读取所有用户,但我不能只读取一个特定的用户。当然这似乎不是安全的事情,因为我可以通过一个API读取用户,但不能使用相同的身份验证令牌通过另一个API读取用户。
I am surprised that while I can read all users fine, I cannot just read one specific user. Surely it doesn't seem like this is security thing since I can read the user via one API but not the other using the same auth token.
我缺少什么?
我想我可以走SOBO的路线(代表功能发送),但是我想确认是否期望上述行为。
I guess I can go the route of SOBO (Send on behalf of functionality), but I wanted to confirm if above behavior is expected.
更新#1
Update#1
:我去了SOBO 方法,现在我得到另一个错误(USER_NOT_ACCOUNT_ADMIN),如下所示
: I went the SOBO approach and now i get a different error (USER_NOT_ACCOUNT_ADMIN) as shown below
GET /restapi/v2/accounts/{accountid}/users/0fe29a55-5564-42a9-b09d-cbe699db13dd HTTP/1.1
Authorization: bearer {token for authenticating user}
X-DocuSign-Act-As-User: {operating user's email}
Accept: application/json
Host: demo.docusign.net
Connection: Keep-Alive
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Content-Length: 100
Content-Type: application/json; charset=utf-8
Date: Thu, 17 Oct 2013 21:18:32 GMT
Strict-Transport-Security: max-age=7776000; includeSubDomains
{
"errorCode": "USER_NOT_ACCOUNT_ADMIN",
"message": "User is not an account administrator."
}
我还尝试了第二种SOBO方法,为操作用户获取oauth令牌但返回http 400错误并显示以下消息
I also tried the second SOBO approach of getting a oauth token for the operating user but got back http 400 error with below message
{
"error": "invalid_request",
"error_description": "An OAuth2 error occurred."
}
因此,尽管我可以为认证用户获得oauth令牌,但我不是
So while i can get an oauth token for the autheitcating user, i am not able obtain oauth token for the operating user or act on their behalf.
我确保身份验证用户是帐户管理员,并且同时具有 apiAccountWideAccess和• allowSendOnBehalfOf设置为true。唯一设置为 false的是 canSendAPIRequests。我在沙盒环境中的帐户ID是 601565a7-e9c7-463b-9d7c-622aed905ea8有任何想法吗?
I have made sure that authenticating user is "Account Administrator" and has both "apiAccountWideAccess" and "•allowSendOnBehalfOf" set to true. The only thing set to "false" is "canSendAPIRequests". My account id in sandbox environment is "601565a7-e9c7-463b-9d7c-622aed905ea8" Any ideas?
Update#2
Update#2
我没有通过代表身份验证用户和运行用户的方式生成oauth令牌,而是尝试在标头下面传递,最终我可以获取另一个用户的个人资料并更新另一个用户的
Instead of generating oauth tokens on behalf of both authenticating user and operating user, i tried passing below header and i can finally get another user's profile and update another user's profile.
X-DocuSign-Authentication: <DocuSignCredentials><SendOnBehalfOf>{operating userid}</SendOnBehalfOf><Username>{authenticating userid}</Username><Password>{authenticating user's password}</Password><IntegratorKey>{developer's integrator key}</IntegratorKey></DocuSignCredentials>
太好了!
因此,这里是什么有效以及什么无效的状态。
Great! So here is status of what works and what doesn't.
在任何地方都没有SOBO标头的工作
Works with no SOBO header anywhere
GET /restapi/v2/accounts/357938/users?additional_info=true // Read all users
GET /restapi/v2/accounts/357938/users?email=someshchandraatwork@gmail.com&additional_info=true // Read single user by email
POST /restapi/v2/accounts/357938/users // Add users
DELETE /restapi/v2/accounts/357938/users // Close users
* 在X-DocuSign-Authentication标头中与SOBO一起使用
*Works with SOBO in X-DocuSign-Authentication header
PUT /restapi/v2/accounts/357938/users/74a021e1-3090-4843-b9ab-cceb7cd119f4/profile // Update user's profile
GET /restapi/v2/accounts/357938/users/74a021e1-3090-4843-b9ab-cceb7cd119f4/profile // Read user's profile
仍然无效不管是否有SOBO **
Still doesn't work with or without SOBO**
GET /restapi/v2/accounts/357938/users/74a021e1-3090-4843-b9ab-cceb7cd119f4/settings
GET /restapi/v2/accounts/357938/users/74a021e1-3090-4843-b9ab-cceb7cd119f4
在两种不工作的情况下,我都会遇到以下错误
In both not working cases i get following error
- 没有SOBO,我得到userid与匹配用户不匹配的错误。
- 使用SOBO,我得到的错误是用户不是帐户管理员
我会非常感谢您为解决无效案例提供的帮助。我可以根据需要提供更多detaisl。
I would very much appreciate any help in resolving the not working cases. I can provide more detaisl as needed.
-
第二,我想实现一种方案,可以停用帐户中的用户,以便他们无法再登录docusign。然后,我想再次启用该用户,使其具有与禁用之前相同的权限。
Secondly I want to implement a scenario where I can deactivate a user in an account so they can no longer log into docusign. And subsequently I would like to enable that user back again with same permission that they had before they were disabled.
我看到该用户有一个 userStatus字段,想知道如果我可以使用它来停用用户,然后根据需要重新激活。如果支持此功能,那么取消激活用户将使用什么值呢?
I see that user has a "userStatus" field and was wondering if I can use that to de-activate the user and then re-activate if needed. If this is supported then what value would correspond to deactivating the user?
我要注意的另一件事是,在删除用户时,由于我删除了用户,因此仅对用户进行软删除仍可以查询状态为已关闭的用户。那可以解决我的停用问题。但是,我不确定在用户关闭后是否有办法重新激活它们?
The other thing I note is that on DELETE a user, the user is only soft-deleted since I can still query the user with the status "CLOSED". That would solve my "deactivate" problem. However I was not sure if there is a way to reactivate them back again after the user has been "closed"?
推荐答案
在上面对Erign的回复。
In reply to Erign's post above.
任何一位帐户管理员都应该可以修改/添加/删除帐户中的用户。不过,我不确定您的SOBO步骤是否正确,是否可以确认您确实遵循了这些步骤?如果是这样,您在哪一步遇到问题或遇到错误?– Ergin5分钟前
是的,我正在遵循这些步骤。我能够为autheitcating用户生成oauth令牌,但为操作用户执行相同操作时会出错。以下是我的要求和回复。
Yes i am following those steps. I am able to generate oauth token for the autheitcating user , but get an error when doing the same for the operating user. Below are my request and responses.
1。请求用户身份验证令牌
1. REQUEST FOR AUTH TOKEN FOR AUTHENTICATING USER
POST /restapi/v2/oauth2/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: demo.docusign.net
Content-Length: 139
Expect: 100-continue
Connection: Keep-Alive
grant_type=password&client_id={integratorykey}&username={authenticating user's email}&password={authenticating user's password}&scope=api
响应
RESPONSE
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 100
Content-Type: application/json; charset=utf-8
Date: Thu, 17 Oct 2013 22:57:26 GMT
Strict-Transport-Security: max-age=7776000; includeSubDomains
{
"access_token": "{authenticating user's token}",
"token_type": "bearer",
"scope": "api"
}
2。请求操作用户的授权令牌
2. REQUEST FOR AUTH TOKEN FOR OPERATING USER
POST /restapi/v2/oauth2/token HTTP/1.1
Authorization: bearer {authenticating user's token}
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: demo.docusign.net
Content-Length: 137
Expect: 100-continue
grant_type=password&client_id={integratorykey}&username={operating user's id}&password={empty}&scope=api
响应
RESPONSE
HTTP/1.1 400 Bad Request
Cache-Control: no-cache
Content-Length: 87
Content-Type: application/json; charset=utf-8
Date: Thu, 17 Oct 2013 22:57:29 GMT
Strict-Transport-Security: max-age=7776000; includeSubDomains
{
"error": "invalid_request",
"error_description": "An OAuth2 error occurred."
}
这篇关于关于帐户中用户管理的REST API的说明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
