DocuSign Authorization Code Grant access token endpoint returning bad request each time

Question

I tried different way to pass header and content but each time getting bad request for getting access token from docusign.

Below is callback web API method which gets called after request to authorization code:

[HttpGet]
 [AllowAnonymous]
 [Route("CallBack")]
 public string Callback()
 {
     string accessToken = "";
     try
     {
         var response = Request.Query;
         if (Request.Query != null && Request.Query.Keys != null && Request.Query.Keys.Count > 0)
         {
             var authorizationCode = Request.Query["code"];

             /*                    
                     Request => POST https://account-d.docusign.com/oauth/token
                     Content-Type: application/x-www-form-urlencoded
                     Header => Authorization: Basic BASE64_COMBINATION_OF_INTEGRATOR_AND_SECRET_KEYS
                     Data => grant_type=authorization_code&authorization_code=YOUR_AUTHORIZATION_CODE
             */

             //Body
             var keyValues = new Dictionary<string, string>();
             keyValues.Add("grant_type", "authorization_code");
             keyValues.Add("authorization_code", authorizationCode);
             var bodyContent = new FormUrlEncodedContent(keyValues);

             //Header
             //Content-Type: application/x-www-form-urlencoded
             //Authorization: Basic BASE64_COMBINATION_OF_INTEGRATOR_AND_SECRET_KEYS 
             string base64Decoded = configuration.IntegrationKey + ":" + configuration.SecretKey;
             string base64Encoded;
             byte[] data = System.Text.ASCIIEncoding.ASCII.GetBytes(base64Decoded);
             base64Encoded = System.Convert.ToBase64String(data);

             var client = new System.Net.Http.HttpClient();
             client.BaseAddress = new Uri("https://account-d.docusign.com");
             var request = new System.Net.Http.HttpRequestMessage(HttpMethod.Post, "https://account-d.docusign.com/oauth/token");
             request.Content = bodyContent;

             request.Content.Headers.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded");
             request.Headers.Authorization = new AuthenticationHeaderValue("Basic", base64Encoded);

             var accessTokenresponse = client.SendAsync(request).Result;

             //Set access token
             //accessToken
         }
     }
     catch (Exception ex)
     {

     }

     return accessToken;
 }

Answer 1

Some ideas for you:

1. Best is to use an OAuth2 client library. This is highly recommended by InfoSec experts and by DocuSign too.
2. If you've decided to roll your own implementation: try out the OAuth2 flow via Postman or a similar tool to be sure you understand exactly how the flow works.
3. Remember that the authorization code is time limited. You need to exchange it for an access token within a minute or so (maybe less, I don't have the exact data).
4. Use wireshark or similar to see exactly what you're sending to DocuSign.
5. Important InfoSec issue: send a nonce value in the state parameter and then check that it's the same when you get the first response from DocuSign.