We have a use case in which Admin can set Google Or Microsoft’s Apps Client Id and Secrets that can later be used for all users who sign up with this Admin’s link, Is there a way to verify these fields before saving/using them?
like for Microsoft,How do I verify this info that admin is providing? Is there any API call to verify it?
Advertisement
Answer
Update:
I am able to do this for G suite, what I did was:
1- Create a request to get token from client id and secret, (with wrong code). 2- In response, google returns ‘invalid_client’ in case the credentials are wrong and ‘invalid_grant’ in case the credentials are correct. (because Code is wrong too.)
try: discovery_url = settings.GOOGLE_DISCOVERY_URL callback_url = settings.BASE_URL + "/accounts/invite/google/signup/callback/" client = WebApplicationClient(client_id) identity_provider_config = requests.get( discovery_url, ).json() token_endpoint = identity_provider_config["token_endpoint"] token_url, headers, body = client.prepare_token_request( token_endpoint, redirect_url=callback_url, code='**code'** ) token_response = requests.post( token_url, headers=headers, data=body, auth=(client_id, client_secret), ).json() # Parse the tokens! client.parse_request_body_response(json.dumps(token_response)) except Exception as error: json_object = json.loads(error.json) pairs = json_object.items() if list(pairs)[0][1] == 'invalid_grant': return "Your credentials are correct" if list(pairs)[0][1] == 'invalid_client': return "Your credentials are NOT correct"
FOR MICROSOFT: For microsoft, additional tenant id is required in order to do this:
We did this in following way:
def validate_azure_credentials(client_id, client_secret, tenant_id): """ validate client id and secret from microsoft and google """ try: app = msal.ConfidentialClientApplication( client_id=client_id, client_credential=client_secret, authority=f"https://login.microsoftonline.com/{tenant_id}", ) # call for default scope in order to verify client id and secret. scopes = ["https://vault.azure.net/.default"] token = app.acquire_token_for_client(scopes=scopes) if token.get("access_token") is None: return IdpResponseMessages.INVALID_CREDENTIALS return IdpResponseMessages.VALID_CREDENTIALS except Exception as error: logger.debug(f"Exception {error}") return str(error)