使用 Google OAuth2.0 将登录电子邮件限制为特定域名 [英] Restrict Login Email with Google OAuth2.0 to Specific Domain Name

问题描述

我似乎找不到任何关于如何限制登录到我的网络应用程序(使用 OAuth2.0 和 Google API)以仅接受来自具有特定域名或一组电子邮件地址的用户的身份验证请求的文档域名.我想加入白名单而不是黑名单.

I can't seem to find any documentation on how to restrict the login to my web application (which uses OAuth2.0 and Google APIs) to only accept authentication requests from users with an email on a specific domain name or set of domain names. I would like to whitelist as opposed to blacklist.

有没有人有关于如何执行此操作的建议、有关官方接受的执行方法的文档或简单、安全的解决方法?

Does anyone have suggestions on how to do this, documentation on the officially accepted method of doing so, or an easy, secure work around?

作为记录，在用户尝试通过 Google 的 OAuth 身份验证登录之前，我不知道有关用户的任何信息.我收到的只是基本的用户信息和电子邮件.

For the record, I do not know any info about the user until they attempt to log in through Google's OAuth authentication. All I receive back is the basic user info and email.

推荐答案

所以我有一个答案给你.在 oauth 请求中，您可以添加hd=domain.com"，它将限制对该域中的用户进行身份验证(我不知道您是否可以进行多个域).您可以在此处

So I've got an answer for you. In the oauth request you can add "hd=domain.com" and it will restrict authentication to users from that domain (I don't know if you can do multiple domains). You can find hd parameter documented here

我正在使用这里的 google api 库:http://code.google.com/p/google-api-php-client/wiki/OAuth2 所以我不得不手动编辑/auth/apiOAuth2.php 文件:

I'm using the google api libraries from here: http://code.google.com/p/google-api-php-client/wiki/OAuth2 so I had to manually edit the /auth/apiOAuth2.php file to this:

public function createAuthUrl($scope) {
    $params = array(
        'response_type=code',
        'redirect_uri=' . urlencode($this->redirectUri),
        'client_id=' . urlencode($this->clientId),
        'scope=' . urlencode($scope),
        'access_type=' . urlencode($this->accessType),
        'approval_prompt=' . urlencode($this->approvalPrompt),
        'hd=domain.com'
    );

    if (isset($this->state)) {
        $params[] = 'state=' . urlencode($this->state);
    }
    $params = implode('&', $params);
    return self::OAUTH2_AUTH_URL . "?$params";
}

我仍在开发这个应用程序并找到了这个，这可能是这个问题的更正确答案.https://developers.google.com/google-apps/profiles/

I'm still working on this app and found this, which may be the more correct answer to this question. https://developers.google.com/google-apps/profiles/

这篇关于使用 Google OAuth2.0 将登录电子邮件限制为特定域名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！