OAuth2 limited to specified google apps domains

[Sandro Sartori]

Hi 

i'm implementing authentication with oauth2 in google appengine and works, but i wanna limit access to specified google apps domains.

how can i do this?

thanks all

Sandro

[Wouter van Vliet / Interpotential]

+1 on this one ;)

I've currently implemented it by fetching the user email after authentication, and checking if the domain matches - but it's not very user friendly.

Would like to see this as a setting on the API console, for example.

Wouter

-- 
http://www.interpotential.com
http://www.ilikealot.com

Phone: +4520371433

[José Antonio Casillas]

I don't quite understand the question. You are using App Engine as a client of a Google API, which you access using OAuth 2?

And you want to restrict what to a domain? The users that view your web app or the users that you can get data from?

José Antonio.

[Wouter van Vliet / Interpotential]

I can't speak for Sandro, but in my case - I'm using OAuth2 to offer
login on a webapp, where access is restricted to members of domain
linked to Google Apps.

The OpenID(+OAuth) makes it possible to offer the login only for one
Apps domain, and I would like that to also be possible for the OAuth2 flow.

Hopes this clears it up.

Wouter

--

[Sandro Sartori]

Hi
yes Wouter this is really what i want to do.
your is really a solution for my problem but is not the best way i
think,
i've not tried but i suppose will check the domain after oauth2 login,
during call back,
i think the best way is to pass the domain on google oauth2 api for
checking it before access but i can't find any way to do this.

thanks all
Sandro

On Aug 11, 1:49 am, Wouter van Vliet / Interpotential

[Wouter van Vliet]

Ok, so when going through the code I at some point used for an OpenID+OAuth implementation I figured "why not" and simply tried to add the hd (hosted domain) parameter to the query string params given to the redirect page for the dialog and voila - the interface changed itself to only allowing login to one single Google Apps domain. Full example:

      https://accounts.google.com/o/oauth2/auth?hd=example.com&client_id=<client_id>&redirect_uri=http://www.example.com/oauth2callback&scope=<scopes>&response_type=code

Would anybody be able to answer if this is an undocumented feature that's here to stay?

(ps. My consideration for wanting to use OAuth2 over OpenID+OAuth is simple: much less code)

[Sandro Sartori]

yeah, this works very good, it solved my problem :)
really thanks

Sandro

On Aug 11, 11:43 am, Wouter van Vliet <wou...@interpotential.com>
wrote:

[Ryan Boyd]

On Thu, Aug 11, 2011 at 2:43 AM, Wouter van Vliet <wou...@interpotential.com> wrote:

Ok, so when going through the code I at some point used for an OpenID+OAuth implementation I figured "why not" and simply tried to add the hd (hosted domain) parameter to the query string params given to the redirect page for the dialog and voila - the interface changed itself to only allowing login to one single Google Apps domain. Full example:

      https://accounts.google.com/o/oauth2/auth?hd=example.com&client_id=<client_id>&redirect_uri=http://www.example.com/oauth2callback&scope=<scopes>&response_type=code

Note that a user could modify this request to remove the 'hd=' (as it's purely client-side).  So this won't *guarantee* that a specific Google Apps domain was used.  You should still do additional checks once you get a response.

Cheers,

-Ryan

 

Would anybody be able to answer if this is an undocumented feature that's here to stay?

(ps. My consideration for wanting to use OAuth2 over OpenID+OAuth is simple: much less code)

--

ryan boyd

developer advocate, google apps

twitter: @ryguyrg

google+: http://profiles.google.com/ryan.boyd

dev blog: http://googleappsdeveloper.blogspot.com