Unauthorized Access, Your authentication token has expired. Tue Oct 09 15:54 UTC

Hi nehme, Sorry for the confusion, I will clarify this in a detailed manner. Because there are few concepts I need to explain to you first. 1. Session Expiry vs Authentication Token Expiry They are two different concepts and you can set the timeout of them separately (by default they are both 30 minutes) The reason why your combined url get expired is because you were using authenticationToken to generate the url, the token expired in 30 minutes that why the url is no longer valid. To avoid this, you have two options: either increase your authentication token expiry timeout(which I won't recommend) or you can directly generate a signing url to get access to signing ceremony. 2.Signing Url In .Net SDK, you can generate signing url directly by this function:

eslClient.PackageService.GetSigningUrl(new PackageId("package id"), "signer id"); // in this case, signer id can't be replaced by email

as commented, in this case, you can't input email as signer id in this function due to the SDK design. So I guess a custom ID to synchronize role id and signer id is a MUST if you want to use this function. The signing url looks like this:

Signing url: https://sandbox.esignlive.com/auth?target=https%3A%2F%2Fsandbox.esignlive.com%2Ftransaction%2F0q5SoDJjyLpD3wspCHTlZlQkTCk%3D%2Fsign&loginToken=UXNpazRSN3NQRGJ0Y0dwT3ZYTEQrd2ppSWlLMlR3SzI2ZzFQQ3k1ckVzQUJ2NkJxSkc0NVRDcmRiekozdUEvdmdhUlN4R2FRekdMMkdOcGV3OWJrZFd4VFluSkNPVWN4ZDBrMFRFTnVObEl6YlVGcVVEZzFjMFpoUmxGTVpEbHpkVVJKYUZNemRYWk9ZMlpVZURZMWMzTnJjVU16UVVsRGRqaFpSalpQTjNxY0wxOGpWc2JENU1vQ2JLZVZiM2FNYVlJLy9HaTdLemFnMWY1VHAzT3padz09

As you can noticed, signing url used a "loginToken" to combine the link. So what's different? #1, this link won't expire, you can simply understand it's the same link as the one you get from email notification OneSpan Sign will send to signers. #2, only through this link, authentication method validating signer will be available. On the other hand, if you get access from the url combined by authentication token, you won't have this authentication process. 3. Session Expiry during signing ceremony As we discussed above, your session expiry is different from your authentication token expiry. There're two sessions available, sender session and signer session. For Sender session timeout, it's to control the idle time when you operating as a sender at the Web UI Dashboard or when you in the Designer UI. For Signer session timeout, it's to control the time when signer doing the signing ceremony, they will get a expired error message as the attachment shows(and the connection session will get expired) of no activity to prevent too long time idle connection. To get back to the connection, they can simply refresh the page to recover the session. But in the iFrame scenario, you need to handle this because once signer receive this error, if they directly refresh the page, they will get reconnected, but if they do some other operations like click buttons or browse forward document, they will trigger the redirect url and take control from your parent window. So you can refer to my blog to have this issue handled. Hope this could help! Duo

Hi nehme, Can you share the SDK function you are using to generate this session token? As per our guidance: An authentication token is used to obtain a valid session for a particular user of the system. There're four kinds of authentication tokens: userAuthToken, senderAuthToken, signerAuthToken and singleUseSignerAuthToken. And among these tokens, all of them are single-use except signerAuthToken. So it's highly possible that your token is just for single use and that's why after that you receive an "authentication token has expired" error. Hope this could help you! Duo

Hello Duo, I am using CreateSignerAuthenticationToken to create the URL. Thanks, Nehme

Hi nehme, In this case, tokens generated by "CreateSignerAuthenticationToken()" are for multiple use. And from my test, it works at my side. So can you provide with your package ID? And is there anything special about this package? If so, can you try a most common package and generate token again? Duo

Hello Duo, This is the packageId : qO-AotBeQim7fLffwhOzXQCP9qo= Thanks, Nehme

Hi nehme, Just few more questions for you. Can you get access through the combined link immediately after you generate the signer authentication token? And have you modified your session expiry timeout in your account level? Because authentication token shares the session expiry timeout in your account setting, by default it's a 30 minutes. And can you also have a try onCreateSignerAuthenticationTokenForSingleUse() function? Duo

Hello Duo, Yes I was able to access other generated URLs directly after generating them and access them in iFrame. I can not use CreateSignerAuthenticationTokenForSingleUse(), because if in a problem case the client close the browser, so I will be able to send him the already generated link again. Where I can check the session expiry timeout in your account setting in sandbox portal? Thanks, Nehme

Hi nehme, That's a setting in our backend system, you can check it by contacting our support team at [email protected]. So does it boil down into that, you want to handle the situation when your signing session is expired? Because I just made a blog about this: Session Expiry in an iFrame, where you can find out how to notify your parent window and let your program take control of the workflow. Hope this could help! Duo

Hello Duo, Thanks for your answer. I will check it and get back to you. I am currently using esl.sdk.net.11.15, is it a good idea to upgrade to esl.sdk.net.11.19? What is the new features added in esl.sdk.net.11.19? Where I can find the release note for esl.sdk.net.11.19? Thanks, Nehme

Hi nehme, Here's the release note. The main new added features in recent few releases are: enforce Siganture at approval level, optional signature, etc. And yes, it's always recommended to upgrade to the latest SDK version to avoid missing any new added features. Hope this could help! Duo

Hello Duo, Just clarification, so after the 30 minutes the sign URL will expire? So what is the solutions? I have an example, suppose the client I generate the sign URl inside iFrame, the client kept the iFrame open for more than 30 minutes whichout signing, so what is the best solution to avoid this situation. Becuase while generating the sign url, I inject many fields so it is a complex process to regenerate the URL again, What is the best practice in this case. Thanks Nehme

Hi Duo, Thanks for your detailed post. It is perfect for me, I am using now this eslClient.PackageService.GetSigningUrl(new PackageId("package id"), "signer id"); . Thanks again for all the support :):) Nehme

No worries and always welcome to raise questions! :)