OAuth is going to be hard to use if you don’t create an account though, there’s no way for DS to know what scopes to restrict the user to, it sounds like that was the core issue that broke their workflow.
I think it is very unclear what is real and not real. OP is mostly passing blame to DocuSign without achieving full understanding themselves. That is more an indictment on OP than DocuSign even if there is some actual session security problem with DocuSign (likely from the deprecated API).
Yeah and it sounds like they were trying to do something that makes no sense for DocuSign to support: use a single account to sign all users’ documents.
DocuSign has a legal obligation here to prove authenticity, how are they ever going to be able to do that if everything is behind a single account?
They support oauth and that makes sense and should be the way to do it.
DocuSign should've recognized this and let them know the flaws in their plan, but in my experience they're _way_ too sales-oriented to ever do this.
I had a similar experience. I explored their API and got stuck on how to implement my use-case and how to ensure it's legally binding. Sales and "technical" resources assured me it was possible, didn't explain how, and everyone balked at any sort of legal questions and basically told me that was all on us to sort out.
I decided I didn't need help creating a box for users to scribble on. E-signature isn't a technical challenge at all.
>DocuSign has a legal obligation here to prove authenticity, how are they ever going to be able to do that if everything is behind a single account?
By the signature.
I don't know how it works in DocuSign's internals, but there's no requirement for the signer to have an account. The point of the account is for users to see all of their documents in one place. In OP's case that's everyone's documents because they use a single account.
Yep. I just signed things via docusign 2 weeks ago. There was no 'create an account' first. IIRC, there was something at the end indicating I could create an account after the doc was signed, but I got a copy via email anyway which was all I needed. The last thing I need is yet another account/login for what is essentially a one-time thing.