Limit OAuth 2 Client to a Google Apps Domain

[Nathaniel-MacIver]

I'd like to use this code as a base for a small python package I want to build in my work environment, but it has to be limited in accessibility to only gmail accounts within our GSuite Work domain. In searching for a way to tweak the OAuth client, I found this on Stackoverflow:

google = oauth.remote_app('google', base_url='https://www.google.com/accounts/', authorize_url='https://accounts.google.com/o/oauth2/auth', request_token_url=None, request_token_params={'scope': 'https://www.googleapis.com/auth/userinfo.email', 'response_type': 'code', 'hd':'domain.com'}, access_token_url='https://accounts.google.com/o/oauth2/token', access_token_method='POST', access_token_params={'grant_type': 'authorization_code'}, consumer_key=GOOGLE_CLIENT_ID, consumer_secret=GOOGLE_CLIENT_SECRET)

The request_token_params dictionary permits an hd variable where you can specify the domain to lock it down to.

Where would I put this kind of variable in the Bookshelf project to practice? Would it be under service_account.py in windows directory env\Lib\site-packages\oauth2client, or somewhere else?

Thank you for your help!!!

[dandhlee]

Hi there! Sorry for the late reply. Let me investigate a bit more into where this can happen, not an OAuth expert so I'll need to do some homework.

[dandhlee]

Similar to the example mentioned in SO: https://github.com/mitsuhiko/flask-oauth/blob/master/example/google.py, it would fall under bookshelf/main.py. The code now looks like this: (adding in line numbers to help)

 44 # [END upload_image_file]
 45 
 46 
 47 app = Flask(__name__)
 48 app.config.update(
 49     SECRET_KEY='secret',
 50     MAX_CONTENT_LENGTH=8 * 1024 * 1024,
 51     ALLOWED_EXTENSIONS=set(['png', 'jpg', 'jpeg', 'gif'])
 52 )
 53 
 54 app.debug = False
 55 app.testing = False

if you wanted to add OAuth bit, you'd add a bit of a section after the snippet above:

 44 # [END upload_image_file]
 45 
 46 
 47 app = Flask(__name__)
 48 app.config.update(
 49     SECRET_KEY='secret',
 50     MAX_CONTENT_LENGTH=8 * 1024 * 1024,
 51     ALLOWED_EXTENSIONS=set(['png', 'jpg', 'jpeg', 'gif'])
 52 )
 53 
 54 app.debug = False
 55 app.testing = False
 56 # Don't forget to import:
 57 from flask_oauth import OAuth
 58 # You must configure these 3 values from Google APIs console
 59 # https://code.google.com/apis/console
 60 GOOGLE_CLIENT_ID = '<Client-ID>'
 61 GOOGLE_CLIENT_SECRET = '<Client-secret>'
 62 oauth = OAuth()
 63 
 64 google = oauth.remote_app('google',
 65                           base_url='https://www.google.com/accounts/',
 66                           authorize_url='https://accounts.google.com/o/oauth2/auth',
 67                           request_token_url=None,
 68                           request_token_params={'scope': 'https://www.googleapis.com/auth/userinfo.email',
 69                                                 'response_type': 'code'},
 70                           access_token_url='https://accounts.google.com/o/oauth2/token',
 71                           access_token_method='POST',
 72                           access_token_params={'grant_type': 'authorization_code'},
 73                           consumer_key=GOOGLE_CLIENT_ID,
 74                           consumer_secret=GOOGLE_CLIENT_SECRET)

Note that the SO post talks about HD flag being discouraged. This answer is long overdue but hope it helps for anyone else!

I'll be closing this issue for now, but if there's any followup questions to this topic please feel free to re-open it with more info! :)