Authentication for App Engine by domain

[Brian Naughton]

Hi all,

I have a simple internal website running on App Engine that is only supposed to be available to people in my organization. 

To do this, under App Engine settings I set "Google Authentication" to "Google Apps Domain" and set that to mydomain.com. 

Then on the main App Engine settings page it shows "Referrers" as "Google Apps domain: mydomain.com".

This seemed to work well. If you go to that page from any browser, then it asks for your login to @mydomain.com and refuses logins from other (google) domains like @gmail.com.

When I am using Chrome, I use two personas: a @mydomain.com email/persona and my personal @gmail.com email/persona.

However, if I am logged in as my regular gmail account, I can access the @mydomain App Engine site! 

I cannot access from an incognito window, nor from Safari (which is only logged into my @gmail), nor from Firefox.

The App Engine site is accessed via an appspot.com address and set to secure:always in app.yaml, so it is https, but it is not served from https://mydomain.com.

This seems like strange behavior. Does anyone know why this would happen? It is making me concerned about the accessibility of the site to people outside the organization.

Thanks,

Brian

[Kenworth (Google Cloud Platform)]

1- It is possible that you were still logged in to @mydomain.com while you were using @gmail.com when you were trying to access @mydomain GAE site. 

2- The incognito mode test that you made was a good idea. Clearing browser sessions and/or cookies works, too. And to make sure that your test environment is not tainted, I recommend testing the access of @gmail.com in a completely separate computer.

3. To use custom domains with HTTPS, you must first activate and configure SSL for App Engine with your domain. I also found this similar thread on StackOverflow.

If the above does not mitigate your issue, I highly encourage you to submit a defect report as described in this article so that proper attention will be given to it. You can also refer on this thread, if required.

 

[Brian Naughton]

Thanks Kenworth! It turned out that my @gmail persona was also logged into @mydomain, separately from the chrome "Person". This was what I assumed had somehow happened based on my tests. Still, it was pretty unclear how to see what my login status was. I assumed you'd have one google login at a time... 

As another example, my colleague's phone is logged into both (I am assuming), but without their knowledge, and they assumed it was a security problem (since they are not logged into @mydomain's gmail as far as they can see and don't remember logging in on their phone). 

3. Yep, thanks. I haven't done this simply because I don't have a process (that I want to manage) for keeping the cert up to date.