08-02-2023, 04:28 PM
Developing a Flask app (Python3/Heroku) for internal company use and successfully implemented Google Login (Oauth2) based on [brijieshb42's article](
Research has indicated that if I pass parameter "hd" (hosted domain) in my authorization url it should do the trick. E.g.
My understanding based is that this parameter should provide client-side restriction and only allow logins from emails from our google apps domain (server-side I'll handle after this!) based on [Google Documentation](
However, though my code generates the authorization URL I pasted above -- I can still login with my personal gmail account (@gmail.com vs @our apps domain.com).
Can anyone shed some light as to why this isn't working? Or provide a different approach? Basically would prefer preventing non-employees from logging in.
I can share code as needed, but pretty much pasted from the brijeshb42 article and essentially looks like this:
OAuth2Session(
OUR_CLIENT_ID,
redirect_uri=https://OUR_APP.herokuapp.com/connect,
scope=['profile', 'email']).authorization_url(
hd='our_google_apps_domain.com',
access_type='offline')
Which returns the auth url I pasted above!
[To see links please register here]
) which uses requests_oauthlib.Research has indicated that if I pass parameter "hd" (hosted domain) in my authorization url it should do the trick. E.g.
[To see links please register here]
My understanding based is that this parameter should provide client-side restriction and only allow logins from emails from our google apps domain (server-side I'll handle after this!) based on [Google Documentation](
[To see links please register here]
), [this mailing list post]([To see links please register here]
) and these stackoverflow posts: [post1]([To see links please register here]
), [post2]([To see links please register here]
).However, though my code generates the authorization URL I pasted above -- I can still login with my personal gmail account (@gmail.com vs @our apps domain.com).
Can anyone shed some light as to why this isn't working? Or provide a different approach? Basically would prefer preventing non-employees from logging in.
I can share code as needed, but pretty much pasted from the brijeshb42 article and essentially looks like this:
OAuth2Session(
OUR_CLIENT_ID,
redirect_uri=https://OUR_APP.herokuapp.com/connect,
scope=['profile', 'email']).authorization_url(
[To see links please register here]
,hd='our_google_apps_domain.com',
access_type='offline')
Which returns the auth url I pasted above!