2

I have Django Social Auth (pypi package social-auth-app-django) working with Google OAuth2 on a site.

When they open a page they get redirected to Google's OAuth2 authentication. This works great, and if they try to log in with an email address that is not in my restricted list they get an AuthForbidden exception. I've added a catch for this and show them a page that they are not allowed to log into this site. All well and good so far.

However, I would prefer to not have the invalid email accounts show up at all in the list from Google's authentication page in the first place. I've done this with manual calls to the authentication page before using javascript with a parameter, but I'm not sure how to do so using the canned Django social auth module.

Can this be done and if so, how?

I have middleware that detects if a user is not logged in and returns a login() view which redirects them to the Google authentication page.

views.py

# Login using OAuth2.
@csrf_protect
def login(request):
    next_page = request.path
    if next_page is None or next_page == '':
        next_page = request.POST.get('next', request.GET.get('next', ''))

    # Check if they are already logged in and redirect them to the original page if so.
    if hasattr(request, 'user') and request.user.is_authenticated:
        return HttpResponseRedirect(next_page)

    # Otherwise, send them to the OAuth2 page with the request url as the next parameter.
    else:
        return HttpResponseRedirect('/soc/login/google-oauth2?next=' + next_page + '&hd=mydomain.com')

EDIT - added picture to clarify my purpose...

What I'm asking for is when the Google OAuth2 dialog pops up asking to select the email address to use to log in, or to add a new one, that only the emails from restricted domains show up as options. This image shows the Google login, and two accounts that have been authenticated previously. One is a personal gmail account that I would prefer not to be displayed here. The other is from the domain that is in the whitelist and the only one I want to be displayed here: enter image description here

Furbeenator
  • 8,106
  • 4
  • 46
  • 54
  • I don't follow the question, what are you actually trying to accomplish? Could you put some examples? – omab Jun 21 '18 at 15:01
  • Just added a screen shot of the google sign in. I want to limit this dialog to only show email accounts that are actually authorized (in the settings WHITELIST) to log in. I have trapped this case where they log in with an invalid account, but want to prevent the confusion of showing accounts without access. – Furbeenator Jun 21 '18 at 17:25
  • 1
    Quick research showed this similar question https://stackoverflow.com/questions/10858813/restrict-login-email-with-google-oauth2-0-to-specific-domain-name. Try defining `SOCIAL_AUTH_GOOGLE_OAUTH2_AUTH_EXTRA_ARGUMENTS = {'hd': 'yourdomain.com'}` – omab Jun 22 '18 at 07:28
  • Hmm, I actually went to that SO post and didn't find reference. This is the first I've heard of SOCIAL_AUTH_GOOGLE_OAUTH2_EXTRA_ARGUMENTS, I had a SOCIAL_AUTH_GOOGLE_OAUTH2_EXTRA_DATA variable in settings. I'll give this one a shot. Thanks! – Furbeenator Jun 28 '18 at 23:30
  • I tried this directive and it still doesn't limit which accounts are displayed on the login prompt from Google. – Furbeenator Jun 29 '18 at 15:40
  • I was, however, able to add the parameter manually to the end of the url for the google oauth page and get it to limit, but I can't seem to get this to be automatically included in the url. – Furbeenator Jun 29 '18 at 23:25
  • 1
    the setting name is `SOCIAL_AUTH_GOOGLE_OAUTH2_AUTH_EXTRA_ARGUMENTS`, not `SOCIAL_AUTH_GOOGLE_OAUTH2_EXTRA_ARGUMENTS`. Once defined the limiting to the specified domain will work. – omab Jun 29 '18 at 23:29
  • Thanks, omab. I thought maybe you had mistyped it, but I found it was correct. It was actually working, but I couldn't verify since adding the restriction meant there was only one account and it was automatically logging me in with that account. Now I have to figure out how to get the prompt after logging/timing out, so somebody else could potentially log into my site from the same browser. Do you know how to not make it automatically log in if there's just one account? – Furbeenator Jun 29 '18 at 23:44
  • I should have searched first. I found your response to another SO thread: {'access_type': 'offline', 'approval_prompt': 'force'} Thanks a ton for your help, I think I'm all good to go now. If you'd like you can submit as an answer and I'll accept it. – Furbeenator Jun 29 '18 at 23:53
  • 1
    Right, `'approval_prompt': 'force'` is to enforce the account dialog on Google, `'access_type': 'offline'` is to get a `refresh_token` that you can use to exchange for an `access_token` at any time. – omab Jun 29 '18 at 23:55

1 Answers1

5

For Google, you can limit the accounts listed to a given domain by defining the setting:

SOCIAL_AUTH_GOOGLE_OAUTH2_AUTH_EXTRA_ARGUMENTS = {
    'hd': 'yourdomain.com'
}
omab
  • 3,721
  • 19
  • 23