django-allauth: Only allow users from a specific google apps domain

Question

I am a newbie at Django. Using django-allauth I have set up single click sign in. I obtained my domain credentials ( client_id and secret_key) from google api console. But the problem is django-allauth is letting me login from any google account while I want the email addresses to be restricted to my domain ( @example.com instead of @gmail.com)

django-social-auth has the white listed domains parameter for this, how do I include this information in allauth? I found django-allauth much easier to set up after spending hours on django-social-auth

Any help would be much appreciated.

Answer 1

Answering my own question-

What you want to do is stall the login after a user has been authenticated by a social account provider and before they can proceed to their profile page. You can do this with the

pre_social_login method of the DefaultSocialAccountAdapter class in allauth/socialaccount/adaptor.py

Invoked just after a user successfully authenticates via a social provider, but before the login is actually processed (and before the pre_social_login signal is emitted). You can use this hook to intervene, e.g. abort the login by raising an ImmediateHttpResponse Why both an adapter hook and the signal? Intervening in e.g. the flow from within a signal handler is bad -- multiple handlers may be active and are executed in undetermined order.

Do something like

from allauth.socialaccount.adaptor import DefaultSocialAccountAdapter

class MySocialAccount(DefaultSocialAccountAdapter):
    def pre_social_login(self, request, sociallogin):
        u = sociallogin.account.user
        if not u.email.split('@')[1] == "example.com"
            raise ImmediateHttpResponse(render_to_response('error.html'))

This is not an exact implementation but something like this works.

Answer 2

Here's an alternate solution:

from allauth.account.adapter import DefaultAccountAdapter
from allauth.socialaccount.adapter import DefaultSocialAccountAdapter

class CustomAccountAdapter(DefaultAccountAdapter):
    def is_open_for_signup(self, request):
        return False # No email/password signups allowed

class CustomSocialAccountAdapter(DefaultSocialAccountAdapter):
    def is_open_for_signup(self, request, sociallogin):
        u = sociallogin.user
        # Optionally, set as staff now as well.
        # This is useful if you are using this for the Django Admin login.
        # Be careful with the staff setting, as some providers don't verify
        # email address, so that could be considered a security flaw.
        #u.is_staff = u.email.split('@')[1] == "customdomain.com"
        return u.email.split('@')[1] == "customdomain.com"

This code can live anywhere, but assuming it's in mysite/adapters.py, you'll also need the following in your settings.py:

ACCOUNT_ADAPTER = 'mysite.adapters.CustomAccountAdapter'
SOCIALACCOUNT_ADAPTER = 'mysite.adapters.CustomSocialAccountAdapter'