限制 App Engine 访问自定义域上的 G Suite 帐户 [英] Restrict App Engine access to G Suite accounts on custom domain
问题描述
不久前,Google Apps(现在称为 G Suite)域的 App Engine 相关设置已移至 Google Cloud Console.
A while ago App Engine-related settings for Google Apps (which is now called G Suite) domains, have been moved to the Google Cloud Console.
截至目前,限制关联 G Suite 用户访问 App Engine 实例的记录方法是通过此 Google Cloud Console 页面:
As of now, the documented way to restrict access to an App Engine instance to users of the associated G Suite is through this Google Cloud Console page:
当您点击该页面中的 时,在Google 身份验证"下,您可以在Google Accounts API"和Google Apps 域"(实际上应该称为G Suite 域")之间切换.
When you click on in that page, under "Google authentication" you can switch between "Google Accounts API" and "Google Apps domain" (which should actually be called "G Suite domain").
该下拉菜单下方有一个输入框,但没有说明应该在那里输入什么.通过反复试验,我发现它应该是关联 G Suite 的域名.
There is an input box below that dropdown, but no explanation what should be input there. Through trial-and-error I have found that it's supposed to be the domain name of the associated G Suite.
在部署到 App Engine 的最小 Hello World 应用中,我们将身份验证选项设置为:
In a minimal Hello World app deployed to App Engine, we set the authentication option to:
login: required
请注意,我们应用的某些服务是用 Python 编写的,其他的则是用 Java 编写的.
Please note that some services of our app are written in Python, others in Java.
通过 [project-id].appspot.com 主机名访问 App 引擎实例工作正常,Google 将提示提供关联 G Suite 的凭据,并通过身份验证过程适当地重定向到目标路径名.
Accessing the App engine instance through the [project-id].appspot.com hostname works just fine, Google will prompt for credentials on the associated G Suite, and redirect appropriately through the authentication process to the target pathname.
问题在于,通过自定义域访问 App Engine 实例时,身份验证根本不起作用.这将显示 500,并且服务器日志显示:
The problem is that authentication does not work, at all, when accessing the App Engine instance through a custom domain. This will show a 500, and the server log reads:
Google Apps 域 example.com 的身份验证只能在请求从该域的子域提供或已通过 Google Apps 控制面板获得批准时执行.请参阅https://developers.google.com/appengine/articles/auth>
Authentication for the Google Apps domain example.com can only be performed when requests are served from a subdomain of that domain or it has been approved through the Google Apps Control Panel. See https://developers.google.com/appengine/articles/auth
该错误消息中的链接页面不再存在,即它已被替换为一般描述身份验证的页面.从在线缓存中提取旧页面,我可以看到它描述了将 App Engine 项目添加到 Google Apps 服务页面的旧 Google Apps 方式,但截至目前,此功能已被删除,或迁移到 Google Cloud Console.
The linked page in that error message does not exist anymore, i.e. it has been replaced with a page that describes authentication in general. Lifting that old page from online caches, I can see that it described the old Google Apps way of adding the App Engine project to the Google Apps services page, but as of now this functionality has been removed, or migrated to Google Cloud Console.
就其价值而言,Google 支持人员无法提供任何帮助,只能向我指出上述屏幕截图页面的文档.
For what it's worth, Google support could not offer any assistance beyond pointing me at documentation of the screenshoted pages above.
这里是否有人设法通过自定义域限制 App Engine 对 G Suite 帐户的访问?还是这个功能刚刚坏了?
Is there anyone here who managed to restrict App Engine access to G Suite accounts through a custom domain? Or is this feature just broken?
特别是,我正在寻找在 Python 和/或 Java GAE 应用程序上下文中解决此问题的答案,以及在需要时演示如何以编程方式解决此问题的代码.
In particular I'm looking for answers that solve this in the context of Python and/or Java GAE apps, and for code that demonstrate how to solve this programmatically if needed.
推荐答案
这似乎是 Google Apps 域身份验证的一个已知问题,如果您在 之后启用 Google Apps 域身份验证,身份验证将不起作用 域被添加到控制台的自定义域"部分.
It appears this is a known issue with Google Apps Domain authentication, where the authentication does not work if you enable Google Apps Domain authentication after the domain is added to the 'Custom domains' section of the console.
解决方法是从自定义域"中删除自定义域映射,然后在为域启用 Google Apps 域身份验证后重新添加它.文档页面使用自定义域和 SSL 将更新以反映这一点.
The workaround is to remove the custom domain mapping from 'Custom domains', and then re-add it after enabling Google Apps Domain authentication for the domain. The documentation page Using Custom Domains and SSL will be updated to reflect this.
这篇关于限制 App Engine 访问自定义域上的 G Suite 帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
