Limit Google OAuth access to one domain using 'hd' param (Django / python-social-auth)

Question

I'm building an internal webapp for my company to use and want to use our Google Apps domain to manage access from our company domain usernames (example.com for the rest of this question).

I'm using:

Django==1.9.5
python-social-auth==0.2.19
+ dependencies

From reading other SO questions I've discovered the Goog "hosted domain" (hd) parameter that can be used via the following setting:

 SOCIAL_AUTH_GOOGLE_OAUTH2_AUTH_EXTRA_ARGUMENTS = {'hd': 'example.com'}

The parameter is being successfully appended to the initial request, I can see it in the URL before granting access.

However, it's not working as I'd expect. I've been able to successfully authenticate with two non-company email addresses.

Am I misunderstanding how the "hd=" parameter works or do I need to also limit access via the app somewhere else on the Google Admin dashboard? Or is it just not supported within the OAuth2 flow?

Thanks in advance for any help.

Answer 1

I know this is an older posting, but I found it searching for how to add extra url params to the OAuth2. I couldn't figure out how to set the hd parameter.

For your situation, set the whitelist to the domains you want to accept. They will be able to authenticate by adding their non-specified hosted domain account with Google, but will not get logged into your site. They will receive the AuthForbidden exception with message "Your credentials aren't allowed."

To set up the whitelist of domains accepted in your site, add the following to settings.py:

SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS = ['domain.com', 'example.org']

You can also set up a friendlier page so they don't get the default 500 error page:

SOCIAL_AUTH_LOGIN_ERROR_URL = '/authentication_error/'
SOCIAL_AUTH_BACKEND_ERROR_URL = '/authentication_error/'

Update urls.py to have this url point to a view with a nice HTML page rendered to let them know what went wrong.