使用 Node Passport 和 Google Auth 限制登录到特定域 [英] Restrict login to specific domain using Node Passport with Google Auth
问题描述
我正在工作的内部服务上实施 Google 身份验证.它是一个带有 Node 后端的 JS 客户端应用程序.我选择使用带有passport-google-oauth 策略的Node 模块Passport.js.
我已经成功地让它工作了,但有一件事仍然让我感到困惑.我想确保我的应用程序只允许公司员工登录.我了解您可以使用名为hd"的参数限制按域登录,根据官方文档.
首先,在 Passport.js 的上下文中,您将该参数发送到何处?我只是不明白代码放在哪里.如果有帮助,我一直在关注示例passport-google-oauth提供.
其次,理论上这一切是如何运作的?是否在 Google 方面,他们拒绝任何试图使用我们公司以外的域访问该应用程序的人.还是在我这边,我需要检查用户从哪个域登录?
举个例子:
//首先确保您可以访问登录路由上的正确范围app.get(/登录",passport.authenticate(谷歌",{范围:[个人资料",电子邮件"]}));//在别处设置您的 Google OAuth 策略...护照.使用(新的谷歌策略({客户ID:某事",客户秘密:某事",回调网址:/某事"},功能(令牌,刷新令牌,配置文件,完成){if(profile._json.hd === "yourdomain.com"){//在数据库等中查找或创建用户User.find({ id: profile.id }).done(done);}别的{//失败完成(新错误(无效的主机域"));}});
为了更好地衡量,这里有一个完整的变量转储profile"变量的样子.
<预><代码>{提供者:谷歌",id: '12345678987654321',displayName: '唐德雷珀',姓名:{familyName:'惠特曼',givenName:'理查德'},电子邮件:[{值:'don@scdp.com'}],_raw: '一堆字符串化的 json',_json:{id: '123456789',电子邮件:'something@something.com',已验证电子邮件:真实,名称:'唐德雷珀',given_name: '唐',family_name: '德雷珀',链接:'https://plus.google.com/123456789',图片:'https://lh3.googleusercontent.com/XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAA/123456789/photo.jpg',性别:'男',语言环境: 'en',高清:'yourdomain.com'}}这里有一些详细的教程,可以回答您关于所有这些背后的理论的问题.你会想要两者的结合.
I am implementing Google Auth on an internal service at work. It is a JS client heavy application with a Node backend. I am choosing to use the Node module Passport.js with the passport-google-oauth strategy.
I have successfully got it working but one thing is still confusing me. I want to ensure my application allows only company employees to login. I understand that you can restrict the login by domain using a parameter called "hd", according to the official documentation.
Firstly, where do you send that parameter in the context of Passport.js? I just don't understand where in the code that is put. If it helps, I have been mostly following the example passport-google-oauth provides.
Secondly, in theory how does this all work? Is it on the Google side, where they reject anyone trying to access the app with a domain outside of our company. Or is it on my side, that I need to check what domain the user is logging in from?
Here's an example:
// first make sure you have access to the proper scope on your login route
app.get("/login", passport.authenticate("google", {
scope: ["profile", "email"]
}));
// set up your Google OAuth strategy elsewhere...
passport.use(new GoogleStrategy({
clientID: "something",
clientSecret: "something",
callbackURL: "/something"
}, function(token, refreshToken, profile, done){
if(profile._json.hd === "yourdomain.com"){
// find or create user in database, etc
User.find({ id: profile.id }).done(done);
}else{
// fail
done(new Error("Invalid host domain"));
}
});
And for good measure here's a full variable dump of what the "profile" variable looks like.
{
provider: 'google',
id: '12345678987654321',
displayName: 'Don Draper',
name: { familyName: 'Whitman', givenName: 'Richard' },
emails: [ { value: 'don@scdp.com' } ],
_raw: 'a bunch of stringified json',
_json: {
id: '123456789',
email: 'something@something.com',
verified_email: true,
name: 'Don Draper',
given_name: 'Don',
family_name: 'Draper',
link: 'https://plus.google.com/123456789',
picture: 'https://lh3.googleusercontent.com/XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/123456789/photo.jpg',
gender: 'male',
locale: 'en',
hd: 'yourdomain.com'
}
}
Here are some detailed tutorials that should answer your question about the theory behind all of this. You'll want some combination of the two.
这篇关于使用 Node Passport 和 Google Auth 限制登录到特定域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!