Restrict App Engine access to G Suite accounts on custom domain

Question

A while ago App Engine-related settings for Google Apps (which is now called G Suite) domains, have been moved to the Google Cloud Console.

As of now, the documented way to restrict access to an App Engine instance to users of the associated G Suite is through this Google Cloud Console page:

When you click on [Edit] in that page, under "Google authentication" you can switch between "Google Accounts API" and "Google Apps domain" (which should actually be called "G Suite domain").

There is an input box below that dropdown, but no explanation what should be input there. Through trial-and-error I have found that it's supposed to be the domain name of the associated G Suite.

In a minimal Hello World app deployed to App Engine, we set the authentication option to:

login: required

Please note that some services of our app are written in Python, others in Java.

Accessing the App engine instance through the [project-id].appspot.com hostname works just fine, Google will prompt for credentials on the associated G Suite, and redirect appropriately through the authentication process to the target pathname.

The problem is that authentication does not work, at all, when accessing the App Engine instance through a custom domain. This will show a 500, and the server log reads:

Authentication for the Google Apps domain example.com can only be performed when requests are served from a subdomain of that domain or it has been approved through the Google Apps Control Panel. See https://developers.google.com/appengine/articles/auth

The linked page in that error message does not exist anymore, i.e. it has been replaced with a page that describes authentication in general. Lifting that old page from online caches, I can see that it described the old Google Apps way of adding the App Engine project to the Google Apps services page, but as of now this functionality has been removed, or migrated to Google Cloud Console.

For what it's worth, Google support could not offer any assistance beyond pointing me at documentation of the screenshoted pages above.

Is there anyone here who managed to restrict App Engine access to G Suite accounts through a custom domain? Or is this feature just broken?

In particular I'm looking for answers that solve this in the context of Python and/or Java GAE apps, and for code that demonstrate how to solve this programmatically if needed.

Answer 1

It appears this is a known issue with Google Apps Domain authentication, where the authentication does not work if you enable Google Apps Domain authentication after the domain is added to the 'Custom domains' section of the console.

The workaround is to remove the custom domain mapping from 'Custom domains', and then re-add it after enabling Google Apps Domain authentication for the domain. The documentation page Using Custom Domains and SSL will be updated to reflect this.