使用 Node Passport 和 Google Auth 限制登录到特定域 [英] Restrict login to specific domain using Node Passport with Google Auth

问题描述

我正在工作的内部服务上实施 Google 身份验证.它是一个带有 Node 后端的 JS 客户端应用程序.我选择使用带有passport-google-oauth 策略的Node 模块Passport.js.

我已经成功地让它工作了，但有一件事仍然让我感到困惑.我想确保我的应用程序只允许公司员工登录.我了解您可以使用名为hd"的参数限制按域登录，根据官方文档.

首先，在 Passport.js 的上下文中，您将该参数发送到何处?我只是不明白代码放在哪里.如果有帮助，我一直在关注示例passport-google-oauth提供.

其次，理论上这一切是如何运作的?是否在 Google 方面，他们拒绝任何试图使用我们公司以外的域访问该应用程序的人.还是在我这边，我需要检查用户从哪个域登录?

解决方案

举个例子:

//首先确保您可以访问登录路由上的正确范围app.get(/登录"，passport.authenticate(谷歌"，{范围:[个人资料"，电子邮件"]}));//在别处设置您的 Google OAuth 策略...护照.使用(新的谷歌策略({客户ID:某事"，客户秘密:某事"，回调网址:/某事"}，功能(令牌，刷新令牌，配置文件，完成){if(profile._json.hd === "yourdomain.com"){//在数据库等中查找或创建用户User.find({ id: profile.id }).done(done);}别的{//失败完成(新错误(无效的主机域"))；}});

为了更好地衡量，这里有一个完整的变量转储profile"变量的样子.

<预><代码>{提供者:谷歌"，id: '12345678987654321',displayName: '唐德雷珀',姓名:{familyName:'惠特曼'，givenName:'理查德'}，电子邮件:[{值:'don@scdp.com'}]，_raw: '一堆字符串化的 json',_json:{id: '123456789',电子邮件:'something@something.com',已验证电子邮件:真实，名称:'唐德雷珀'，given_name: '唐',family_name: '德雷珀',链接:'https://plus.google.com/123456789',图片:'https://lh3.googleusercontent.com/XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAA/123456789/photo.jpg',性别:'男'，语言环境: 'en',高清:'yourdomain.com'}}

这里有一些详细的教程，可以回答您关于所有这些背后的理论的问题.你会想要两者的结合.

1. 本地身份验证和基本设置
2. Google 身份验证

I am implementing Google Auth on an internal service at work. It is a JS client heavy application with a Node backend. I am choosing to use the Node module Passport.js with the passport-google-oauth strategy.

I have successfully got it working but one thing is still confusing me. I want to ensure my application allows only company employees to login. I understand that you can restrict the login by domain using a parameter called "hd", according to the official documentation.

Firstly, where do you send that parameter in the context of Passport.js? I just don't understand where in the code that is put. If it helps, I have been mostly following the example passport-google-oauth provides.

Secondly, in theory how does this all work? Is it on the Google side, where they reject anyone trying to access the app with a domain outside of our company. Or is it on my side, that I need to check what domain the user is logging in from?

解决方案

Here's an example:

// first make sure you have access to the proper scope on your login route
app.get("/login", passport.authenticate("google", {
    scope: ["profile", "email"]
}));

// set up your Google OAuth strategy elsewhere...
passport.use(new GoogleStrategy({
    clientID: "something",
    clientSecret: "something",
    callbackURL: "/something"
}, function(token, refreshToken, profile, done){
    if(profile._json.hd === "yourdomain.com"){
        // find or create user in database, etc
        User.find({ id: profile.id }).done(done);
    }else{
        // fail        
        done(new Error("Invalid host domain"));
    }
});

And for good measure here's a full variable dump of what the "profile" variable looks like.

{ 
    provider: 'google',
    id: '12345678987654321',
    displayName: 'Don Draper',
    name: { familyName: 'Whitman', givenName: 'Richard' },
    emails: [ { value: 'don@scdp.com' } ],
    _raw: 'a bunch of stringified json',
    _json: { 
        id: '123456789',
        email: 'something@something.com',
        verified_email: true,
        name: 'Don Draper',
        given_name: 'Don',
        family_name: 'Draper',
        link: 'https://plus.google.com/123456789',
        picture: 'https://lh3.googleusercontent.com/XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/123456789/photo.jpg',
        gender: 'male',
        locale: 'en',
        hd: 'yourdomain.com' 
    } 
}

Here are some detailed tutorials that should answer your question about the theory behind all of this. You'll want some combination of the two.

1. Local authentication and basic setup
2. Google authentication

这篇关于使用 Node Passport 和 Google Auth 限制登录到特定域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！