Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding FrameWork Flask How do you restrict Google Login (Oauth2) to emails from a specific Google Apps domain for a Flask WebApp?

Thread Rating:
  • 555 Vote(s) - 3.54 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
How do you restrict Google Login (Oauth2) to emails from a specific Google Apps domain for a Flask WebApp?

Offline helbona383


Valued member
***
Valued member
Posts: 1
Threads: 1
Joined: Jan 2019
Reputation: 0
Level: 1 [Level]
Total Points: 0
Rank 0 / 1
99% to upload Level
Rank
Activity 0 / 1
99% to upload your Rank
Activity
Experience 1
99% to upload Experience
Experience

Points: 50
#1
08-02-2023, 04:28 PM
Developing a Flask app (Python3/Heroku) for internal company use and successfully implemented Google Login (Oauth2) based on [brijieshb42's article](

[To see links please register here]

) which uses requests_oauthlib.

Research has indicated that if I pass parameter "hd" (hosted domain) in my authorization url it should do the trick. E.g.

[To see links please register here]


My understanding based is that this parameter should provide client-side restriction and only allow logins from emails from our google apps domain (server-side I'll handle after this!) based on [Google Documentation](

[To see links please register here]

), [this mailing list post](

[To see links please register here]

) and these stackoverflow posts: [post1](

[To see links please register here]

), [post2](

[To see links please register here]

).

However, though my code generates the authorization URL I pasted above -- I can still login with my personal gmail account (@gmail.com vs @our apps domain.com).

Can anyone shed some light as to why this isn't working? Or provide a different approach? Basically would prefer preventing non-employees from logging in.

I can share code as needed, but pretty much pasted from the brijeshb42 article and essentially looks like this:

OAuth2Session(
OUR_CLIENT_ID,
redirect_uri=https://OUR_APP.herokuapp.com/connect,
scope=['profile', 'email']).authorization_url(

[To see links please register here]

,
hd='our_google_apps_domain.com',
access_type='offline')

Which returns the auth url I pasted above!
Reply

Offline cissiee586


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Nov 2021
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
08-02-2023, 04:51 PM
After successful authentication, you have to check the provided email yourself. I have added the code snippet from the my article that you have referenced. I have added the extra check required in after comment.

@app.route('/gCallback')
def callback():
# Redirect user to home page if already logged in.
if current_user is not None and current_user.is_authenticated():
return redirect(url_for('index'))
if 'error' in request.args:
if request.args.get('error') == 'access_denied':
return 'You denied access.'
return 'Error encountered.'
if 'code' not in request.args and 'state' not in request.args:
return redirect(url_for('login'))
else:
# Execution reaches here when user has
# successfully authenticated our app.
google = get_google_auth(state=session['oauth_state'])
try:
token = google.fetch_token(
Auth.TOKEN_URI,
client_secret=Auth.CLIENT_SECRET,
authorization_response=request.url)
except HTTPError:
return 'HTTPError occurred.'
google = get_google_auth(token=token)
resp = google.get(Auth.USER_INFO)
if resp.status_code == 200:
user_data = resp.json()
email = user_data['email']
"""
Your Domain specific check will come here.
"""
if email.split('@')[1] != 'domain.com':
flash('You cannot login using this email', 'error')
return redirect(url_for('login'))
user = User.query.filter_by(email=email).first()
if user is None:
user = User()
user.email = email
user.name = user_data['name']
print(token)
user.tokens = json.dumps(token)
user.avatar = user_data['picture']
db.session.add(user)
db.session.commit()
login_user(user)
return redirect(url_for('index'))
return 'Could not fetch your information.'
Reply

Offline enact958102


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Jan 2021
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
08-02-2023, 04:51 PM
When you create the authorization URL, you can append optional parameters; appending hd= ... will do the trick:

auth_url, state = google.authorization_url(AUTH_URI, access_type='offline', hd='savv.ch')

This has many benefits. For example Google will then automatically pick the right account (if it matches the domain), which potentially saves a step in the Auth process, if the user is logged into multiple accounts.

[To see links please register here]

Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through