MVC4/ Google OpenID limit to specific Google Apps Domain(s)

Question

I created a new MVC4/.NET4.5 project and enabled Google OpenID. This worked, shockingly easily.

My company has "gone google" and our domains/ employee identities are in the Google Apps webspace.

How can I allow only our Google Apps domains to authenticate to my new website? I'm hoping it's a simple thing like the authentication piece was.

Here is some additional information:

• I literally created a default web application and enabled the Google Authentication piece. I could not believe how simple it was to validate against Google.
• My company has literally hundreds of email domains, all rolled up under one email domain "umbrella". For example, my company's corporate email domain name is "foo.com", but under this we have "x.foo.com", "bar.com", and "yomommasougly.net". All of these are part of the "foo.com" Google Apps domain.
• The ultimate goal is, a description of what needs to be done (and where) to take this default application and restrict it to all domains under the "foo.com" domain.
• With hundreds of domains, and more being added all the time, it is not practical to specify every domain explicitly.

Answer 1

Assuming you're using DotNetOpenAuth check out the authentication code for the Stack Exchange Data Explorer.

Essentially, you just ask for the e-mail address with your request:

request.AddExtension(
    new ClaimsRequest
    {
        Email = DemandLevel.Require,
    }
);

Then check the returned address against your domain whitelist (I'm assuming you're already only accepting google OpenIDs)

var sreg = response.GetExtension<ClaimsResponse>();
If (!HasWhiteListedDomain(sreg.Email)) { 
    // Fail Here
}

Note that these bits of code need to be added to your Web.config to get the exact code for fetching the e-mail above working:

  <configSections>
    <section name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection" requirePermission="false" allowLocation="true" />
  </configSections>
  <dotNetOpenAuth>
    <openid>
      <relyingParty>
        <behaviors>
          <!-- The following OPTIONAL behavior allows RPs to use SREG only, but be compatible
                    with OPs that use Attribute Exchange (in various formats). -->
          <add type="DotNetOpenAuth.OpenId.Behaviors.AXFetchAsSregTransform, DotNetOpenAuth" />
        </behaviors>
      </relyingParty>
    </openid>
  </dotNetOpenAuth>

Edit:

If using OAuthWebSecurity getting the e-mail will just look something like this:

var userDataFromProvider = result.ExtraData;
var email = userDataFromProvider["email"];

Source