Copy link to clipboard
Copied
Hi,
We are using PDF forms to submit the whole PDF into our server using the following.
this.submitForm({
cURL:'{serverURL}',
cSubmitAs: 'PDF'
})
We need to implement some authentication over this submit form functionality. Is it possible to implement any authentication over this submit.
Copy link to clipboard
Copied
What kind of authentication, exactly?
Copy link to clipboard
Copied
We are giving the PDF Forms to the users in our organization. We need to make sure that nobody outside the organization is able to submit the PDF to our server.
Is it possible to implement oauth2 authentication? If not then can we have add some device information(device account name, Adobe Id, email) along with the Submit URL so that we can validate the User.
Copy link to clipboard
Copied
I suggest you look into using Certificates to make sure only people in your organization access the file, then.
If you want to enforce some kind of authentication you would need to do it on the server-side, though.
Copy link to clipboard
Copied
Acrobat JavaScript is designed to essentially make this impossible. Consider: someone might download a form from anywhere and submit it, for some apparently harmless activity. It would be very bad if a downloaded "phishing" form could harvest emails, account names, etc. So you cannot pick up any kind of personal info to use in a submission.
I think you need to move towards working on a server that the user already authenticated to. And using HTML forms, since PDF forms cannot inherit any authentication. The form must be resident on the server because the server would be setup using CORS to forbid submission to it from externally hosted forms.
Copy link to clipboard
Copied
You cannot implement oAuth with regular PDF submits, but you could do an ad-hock authentication.
Use scripts to perform a submit handshake. When the user presses the submit button it ask them for credentials (name/password), and submits these to the server. The return data contains a code that either allows the full submit or blocks further processing. This is a somewhat weak protection, since the script could be reverse engineered. But it would keep all but the most motivated from misusing the form. Addition protection could be added by using public key encryption on the return authorization code.