Background: Our application has included DocuSign integration for many years. We support integrated login in which we direct user to DocuSign login page, which authenticates and then redirects back to our web application, giving our application the ability to make calls to DocuSign API on the user's behalf.
We register each customer's redirect URL on the Admin page for our API application. Unless registered, an error is generated: The redirect URI is not registered properly with DocuSign.
The Issue
Today we discovered that, when MFA (multifactor authentication) is enabled in the customer's DocuSign account, the same "redirect URI is not registered" error occurs. This occurs after the initial login/password prompt when MFA is invoked.
We can see the reason.
Without (before) MFA, a URL like this is created: https://account-d.docusign.com/oauth/auth?response_type=code&prompt=login&scope=signature%20impersonation&client_id=****&redirect_uri=https://customershostname.com/EclipseServer/DocuSignHandlers/DocuSignAuthenticationHandler.ashx
But after MFA, we see this URL, which produces the error. https://account-d.docusign.com/oauth/auth?response_type=code&prompt=login&scope=signature%20impersonation&client_id=****&redirect_uri=https%3A%2F%2Fcustomershostname.com%2FEclipseServer%2FDocuSignHandlers%2FDocuSignAuthenticationHandler.ashx
Note that the slashes in the redirect_uri have been encoded.
Do we need to add the encoded values to our registered URLs?
Shouldn't DocuSign "figure this out" and compare the decoded URL?