2

In AuthSub, for Google Apps hosted domains I could use the hd parameter to redirect the user to that domain, get them to login to that domain and receive the token.

What is the equivalent functionality in OAuth2?

I came across this URL: https://developers.google.com/drive/delegation

Is this the only way? From what I understand, the service account gets direct access to all the users? The workflow would be different from what used to be for AuthSub, where the user had to login to their individual domain account? Is this understanding correct?

MavWolverine
  • 846
  • 1
  • 9
  • 24
  • Could you clarify whether you're trying to gain access to all Drive user data within the domain or if you're only trying to scope your app down to logins from the given Google Apps domain? – Jay Lee Jan 06 '13 at 17:26
  • Only individual user. Very similar to a web application where the users browser is redirected to google login screen, and then a token/ code is sent back to the redirect_uri. Instead of the regular google login screen, I need the hosted domain login screen. I tried adding hd=mydomain.com, but after login, the page is redirected to oauth2 page, where respone_type, client_id etc are missing and hence I get an error. – MavWolverine Jan 07 '13 at 00:52

2 Answers2

2

I think I found a solution, but not sure if it is the correct one.

For test, I just added &hd=mydomain.com to the auth url and I was correctly redirected to the the domain login page. Once I logged in, I did get 403, Admin has disabled third party apps. So I logged in to the google apps admin and enabled the checkbox. And it worked fine.

I just need a confirmation from Google drive developers if this is a correct solution or works currently only because AuthSub/ OAuth1 is yet to be disabled?

UPDATE: hd=default does not work. You can set it to empty string.

MavWolverine
  • 846
  • 1
  • 9
  • 24
  • If it works, that's great. It's not documented functionality that I can find though. – Ali Afshar Jan 08 '13 at 19:57
  • It is documented @AliAfshar. Search for `hd` on Google's [OpenID Connect docs](https://developers.google.com/identity/protocols/OpenIDConnect). Be sure to verify the `hd` claim in the resulting ID Token if you want to restrict access to your domain, as it is possible for clients to manipulate the auth URL to drop the `hd`. – William Denniss May 19 '15 at 20:12
1

This is not a great solution, but you can pass the user_id parameter to the authorization URI for OAuth2.0 to pass the email address of a domain user. That is if you know the email address.

If not, you should trust the user to select the right account if they are multiply logged in.

As I say: sorry, not a great solution here.

Ali Afshar
  • 40,967
  • 12
  • 95
  • 109
  • Hi Ali, What I want to do is keep the user domain logins (including usernames) to themselves. I do not want keep a record of their usernames. With initial AuthSub, I could just use hd=mydomain.com to redirect the users to the apps login screen. They login and grant access to my web application. – MavWolverine Jan 08 '13 at 18:36