将Google帐户登录限制为指定的Apps域 [英] Restrict Google account logins to a specified Apps domain

问题描述

如何让用户使用其Google帐户登录到我的Web应用程序，并验证他们是否从某个Google Apps域登录?

How can I let users log in to my web app with their Google account, and verify that they logged in from a certain Google Apps domain?

hd 参数到Google授权服务中，确保只有选定的域可以用于登录?

Does the hd parameter to the Google Authorization service ensure that only the selected domain can be used to login?

或者我可以获取登录用户的电子邮件并验证其以"@ domain.com"结尾吗?这似乎不是一个好主意.

Or can I get the logged in user's email and verify that it ends with "@domain.com"? This doesn't seem like such a good idea.

登录后，我还需要访问用户的Google联系人，根据文档，该联系人需要

After login I also need to access the users' Google Contacts, which according to the documentation requires AuthSub proxy authentication.

推荐答案

看看其他建议的OpenID文档.简而言之，您需要根据用户的域名将用户重定向到自定义登录网址-也就是说，您需要在重定向(即hd参数)之前先找到其域名，这实际上会强制登录到指定的域

Have a look at the OpenID docs others suggested. In brief, you need to redirect the user to a custom login URL based on their domain name - i.e. you need to find out their domain name before you redirect i.e. your hd parameter, which indeed forces login to the specified domain

支持Google Apps域的SSO也是必需的，在该域中，用户的身份验证不是由Google处理，而是由第三方服务处理.

This is also needed to support SSO for Google Apps domains, where the authentication for the user isn't handled by Google but by a third party service.

一旦获得身份验证信息，请确保检查openID提供程序，而不仅仅是电子邮件地址域名.

Make sure you check the openID provider, not just the email address domain name, once you do get the auth info.

这篇关于将Google帐户登录限制为指定的Apps域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！