apiKey of subaccounts
Sunday, August 23, 2020 at 09:57pmHow can I pull the subaccount user's apikey using parent account's apikey? I have called api/senders/{accountid}/apiKey and it returns 403. The same method works for the main account however. In other words, I can pull apiKey from other senders using the owner's apiKey on the main level but couldn't do the same for the subaccount. I would appreciate any help that can be provided.
Reply to: apiKey of subaccounts
Monday, August 24, 2020 at 06:04amHi Mark,
Form my own experience with subaccount, I also found the same that if you invited a signer at the main account level (these signers can later be added roles at subaccount level with certain subaccount permissions), you can pull the API Key by the main account owner's. On the contrary, if you invite the signer at sub-account level, API Key retrieval API will hit 403 error due to a lack of permission.
In this regard, I would suggest you invite all signers at the main account level for better signer management purpose. (For those signers already invited at subaccount level, if you can't delete and reinvite them, you can contact the support team and have them merged to main account)
With this account structure, register a main account level client application, and use Client API Token to retrieve a temporary credential is a clean and SDK-friendly method to manage each signer's transaction.
Duo
Reply to: Hi Mark, Form my own…
Tuesday, August 25, 2020 at 09:12amHi Duo. Thank you for the response. However that sounds pretty bad for organizations that have 10000+ users who were already configured in subaccounts only.
Reply to: apiKey of subaccounts
Tuesday, August 25, 2020 at 01:58pmHi Duo;
The customer says that 90% of the users exist in the Master Account and it would be a lot of work to figure out the few that aren't. Do you know if OneSpan Support would be able to determine that?
Thanks!
Reply to: Hi Duo; The customer says…
Tuesday, August 25, 2020 at 02:39pmHi Sam,
Support is able to determine which senders exists at subaccount level, and possible to merge them to the master account.
But since subaccount is still an evolving feature that we are also learning internally, it's safer if you can test through the whole process on the 90% existing senders before we change anything to the account structure.
Duo
Reply to: apiKey of subaccounts
Thursday, August 27, 2020 at 12:46pmDuo,
I am still having a problem. Once I pull sub accounts, how do I pull senders that belong to the subaccount? And since subaccount users have different API key than those in the main account, how do I find the subaccount owner's api key using REST API call to retrieve API key of each user that belongs to the subaccount?
Reply to: apiKey of subaccounts
Thursday, September 3, 2020 at 08:47amFive days have gone by with no response. That's disappointing.
Reply to: apiKey of subaccounts
Thursday, September 3, 2020 at 09:23amHi Mark,
Sorry for the late reply.
For the first half of the questions, API "GET /api/account/roles/{accountRoleId}/users" should be able to retrieves the list of user IDs assigned to a given role, for the subaccount where current API Key/Token is active in. However, I am seeing an error leveraging this API, therefore a Jira ticket has been raised to R&D team and I am waiting for updates.
On top of that, although it's not desired, this API may also help "GET /api/account/senders/{senderId}/account/{subaccountId}/roles", so total of #sender * #subaccounts APIs are required.
For the second half questions, it's true that a sender have different API Keys in different subaccounts. Using main account owner's API Key at L0 level could get any API Key for any sender at any subaccount level:
Step1: get a session based token out of main account's API Key at L0 level
Step2: switch session context and activate subaccount
Step3: get sender's API Key for that subaccount
A code snippet may explain this better:
string baseURL = "https://sandbox.esignlive.com";
string accountOwnerAPIKey = "xxxxx==";
string senderId = "ceKw68567gsE";
string subaccountId = "GZsXlSSd1eES";
HttpClient myHttpClient = new HttpClient();
HttpResponseMessage response;
myHttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", accountOwnerAPIKey);
myHttpClient.DefaultRequestHeaders.Add("Accept", "application/json");
response = myHttpClient.PostAsync(new Uri(baseURL + "/api/authenticationTokens/user"),null).Result;
string userToken = JObject.Parse(response.Content.ReadAsStringAsync().Result)["value"].ToString();
response = myHttpClient.GetAsync(new Uri(baseURL + "/auth?authenticationToken=" + userToken)).Result;
string sessionToken = JObject.Parse(response.Content.ReadAsStringAsync().Result)["sessionToken"].ToString();
HttpClient myHttpCookieClient = new HttpClient(new HttpClientHandler { UseCookies = false });
myHttpCookieClient.DefaultRequestHeaders.Add("Accept", "application/json");
myHttpCookieClient.DefaultRequestHeaders.Add("Cookie", "ESIGNLIVE_SESSION_ID=" + sessionToken);
StringContent payload = new StringContent(subaccountId, System.Text.Encoding.UTF8, "application/json");
response = myHttpCookieClient.PostAsync(new Uri(baseURL + "/api/session/activeAccount"), payload).Result;
response = myHttpCookieClient.GetAsync(new Uri(baseURL + "/api/account/senders/" + senderId + "/apiKey")).Result;
string senderAPIKey = JObject.Parse(response.Content.ReadAsStringAsync().Result)["apiKey"].ToString();
Debug.WriteLine("sender API Key: " + senderAPIKey);
Duo