问题
Currently using the OAuth server side one-time-code flow, discussed here: https://developers.google.com/+/web/signin/server-side-flow
Works perfectly for google login.
I want the ability, though, to limit this login to only work for users that belong to a specific apps domain.
Is there any way to enforce this through the api?
OR am I limited to only doing this on my end after google authentication by regexing the email domain? (I would like to avoid this).
Thanks!
回答1:
There is no support for doing this through Google login. We could allow a developer to set some restrictions on the client id if there are good use cases and a lot of developers would benefit with it. The primary issue I see with is the error message that we have to display to the user. It is better to display that error (and explain) on your site.
In general, as a good practice, you would always want to do the checks on your system/services regarding the authorized user (e.g. check domain)
回答2:
The only way I can see to do this on the API is to use the fully server side flow (OpenID Connect).
The docs are here: https://developers.google.com/accounts/docs/OpenIDConnect
With the parameter of interest here: https://developers.google.com/accounts/docs/OpenIDConnect#hd-param
It doesn't appear to be possible with the server side one time code flow
来源:https://stackoverflow.com/questions/26141682/restrict-google-sign-in-to-specific-apps-domain