如何限制OpenID登录到GAE上的一个Google Apps域(再次) [英] How to restrict OpenID login to one Google Apps Domain on GAE (again)
问题描述
我想限制使用Google App Engine上运行的Python应用程序登录到使用OpenID的特定Google Apps域的成员。根据 b
apps-domain>如何限制谷歌联合登录到特定的应用程序域?
这可以通过简单地替换普通的谷歌openid认证url来完成
https://www.google.com/accounts/o8/
with
GAE for Python中的users.create_login_url()似乎不起作用。它引发了一个500服务器错误,在谷歌应用程序引擎日志中没有显示(日志只显示重定向和来自logging.debug的OpenID)。
任何人有任何建议如何解决这个问题?
app.yaml
应用程序:示例
版本:1
运行时:python27
api_version:1
线程安全:是
处理程序:
- url: / _ah / login_required
脚本:main.app
- url:。*
脚本:main.app
登录名:required
$ b main.py:
import webapp2,从google.appengine.api记录
导入用户
#任何Google帐户,都像一个魅力
#federated_identity ='https://www.google.com/ accounts / o8 / id'
#只在特定域名下的帐户,不起作用
federated_identity ='https://google.com/accounts/o8/site-xrds?hd = example .com'
dest_url ='http://example.appspot.com/'
class Main(webapp2.RequestHandler):
def get(self):
logging.debug('Main')
user = users.get_current_user()
if user:
self.response.out.write('Hello%s< p> [< a href =%s>注销< / a>'%(user.email(),
users。 create_logout_url(self.request.uri)))
else:
self.response.out.write('Not logged in')
class OpenID(webapp2.RequestHandler):
def get(self):
logging.debug('OpenID')
login_url = users.create_login_url(dest_url = dest_url,
federated_identity = federated_identity)
self。重定向(login_url)
app = webapp2.WSGIApplication([
('/ _ah / login_required',OpenID),
('/',Main)
] ,debug = True)
更新
Sebastian表明解决方案可能是对联合身份进行网址编码。我试图按照建议对整个网址进行网址编码,或者只使用问号。不幸的是这并没有改变任何东西
浏览器地址栏中显示的重定向网址或者写入日志:
解决方案我想(我自己没有测试过),问题是因为fe derated_identity不被编码。尝试用%3F 替换问号。还请确保url
https://google.com/accounts/o8/site-xrds?hd=example.com
有效。
是要去的网址
http://testsk2012.appspot.com/_ah/login_redir?claimid=http:// www.google.com/accounts/o8/site-xrds%3Fhd=somesite.com&continue=http://testsk2012.appspot.com/
并成功。
I want to restrict login to a python application running on Google App Engine to members of a particular Google Apps Domain using OpenID.
According to the thread How limit Google Federated Login to specific Apps domain?
this could be accomplished by simply substitution the ordinary google openid autentication url
with
This does however not seem to work using users.create_login_url() in GAE for Python. It throws a 500 server error that is not shown in the google app engine log (the log only shows the redirect and the "OpenID" from logging.debug).
Does anyone have any suggestions on how to fix this?
app.yaml
application: example
version: 1
runtime: python27
api_version: 1
threadsafe: yes
handlers:
- url: /_ah/login_required
script: main.app
- url: .*
script: main.app
login: required
main.py:
import webapp2, logging
from google.appengine.api import users
# Any google account, works like a charm
#federated_identity='https://www.google.com/accounts/o8/id'
# only accounts under spefific domain, does not work
federated_identity='https://google.com/accounts/o8/site-xrds?hd=example.com'
dest_url = 'http://example.appspot.com/'
class Main(webapp2.RequestHandler):
def get(self):
logging.debug('Main')
user = users.get_current_user()
if user:
self.response.out.write('Hello %s<p>[<a href="%s">log out</a>]' % (user.email(),
users.create_logout_url(self.request.uri)))
else:
self.response.out.write('Not logged in')
class OpenID(webapp2.RequestHandler):
def get(self):
logging.debug('OpenID')
login_url = users.create_login_url(dest_url=dest_url,
federated_identity=federated_identity)
self.redirect(login_url)
app = webapp2.WSGIApplication([
('/_ah/login_required', OpenID),
('/', Main)
], debug=True)
Update
Sebastian suggests that a solution might be to url encode the federated identity. I tried url encoding the whole url or only the question mark as suggested. Unfortunately this does not change anything.
The redirect urls as shown in the browser address bar or if written to log:
No url encoding:
http://example.appspot.com/_ah/login_redir?claimid=https://google.com/accounts/o8/site-xrds?hd=example.com&continue=http://example.appspot.com/
With url encoding:
http://example.appspot.com/_ah/login_redir?claimid=https%3A%2F%2Fgoogle.com%2Faccounts%2Fo8%2Fsite-xrds%3Fhd%3Dexample.com&continue=http://example.appspot.com/
解决方案 I think (I haven't tested this myself) that the issue is because the federated_identity is not encoded. Try replacing the question mark with %3F. Also make sure the url
https://google.com/accounts/o8/site-xrds?hd=example.com
works.
The test I did was to go to the url
http://testsk2012.appspot.com/_ah/login_redir?claimid=https://www.google.com/accounts/o8/site-xrds%3Fhd=somesite.com&continue=http://testsk2012.appspot.com/
and it succeeded.
这篇关于如何限制OpenID登录到GAE上的一个Google Apps域(再次)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
