All geek questions in one place

How to restrict OpenID login to one Google Apps domain in GAE (again)

I want to restrict login to a python application running on the Google App Engine for members of a specific Google Apps domain using OpenID.

According to the flow How do I restrict Google Federated Login to a specific application domain? this can be achieved by simply substituting the goid openid outreach url

https://www.google.com/accounts/o8/id

from

https://google.com/accounts/o8/site-xrds?hd=example.com

This, however, does not work using users.create_login_url () in GAE for Python. It throws a 500 server error that does not appear in the log of the Google engine (the log shows only redirection and "OpenID" from logging.debug).

Does anyone have any suggestions to fix this?

app.yaml

application: example version: 1 runtime: python27 api_version: 1 threadsafe: yes handlers: - url: /_ah/login_required script: main.app - url: .* script: main.app login: required

main.py:

 import webapp2, logging from google.appengine.api import users # Any google account, works like a charm #federated_identity='https://www.google.com/accounts/o8/id' # only accounts under spefific domain, does not work federated_identity='https://google.com/accounts/o8/site-xrds?hd=example.com' dest_url = 'http://example.appspot.com/' class Main(webapp2.RequestHandler): def get(self): logging.debug('Main') user = users.get_current_user() if user: self.response.out.write('Hello %s<p>[<a href="%s">log out</a>]' % (user.email(), users.create_logout_url(self.request.uri))) else: self.response.out.write('Not logged in') class OpenID(webapp2.RequestHandler): def get(self): logging.debug('OpenID') login_url = users.create_login_url(dest_url=dest_url, federated_identity=federated_identity) self.redirect(login_url) app = webapp2.WSGIApplication([ ('/_ah/login_required', OpenID), ('/', Main) ], debug=True)

Update
Sebastian suggests that the solution could be to encode a federated identity URL. I tried the url encoding the entire url, or just the question mark as suggested. Unfortunately, this does not change anything. Redirect URLs specified in the address bar of the browser, or if they are logged:

No url encoding:
http://example.appspot.com/_ah/login_redir?claimid=https://google.com/accounts/o8/site-xrds?hd=example.com&continue=http://example.appspot.com/

With url encoding:
http://example.appspot.com/_ah/login_redir?claimid=https%3A%2F%2Fgoogle.com%2Faccounts%2Fo8%2Fsite-xrds%3Fhd%3Dexample.com&continue=http://example.appspot.com/

0
source share
1 answer

I think (I have not tested this myself) that the problem is that federated_identification is not encoded. Try replacing the question mark with %3F . Also make sure the URL

 https://google.com/accounts/o8/site-xrds?hd=example.com

work.

The test I did was go to the url

 http://testsk2012.appspot.com/_ah/login_redir?claimid=https://www.google.com/accounts/o8/site-xrds%3Fhd=somesite.com&continue=http://testsk2012.appspot.com/

and it succeeded.

0
source

Source: https://habr.com/ru/post/906734/

More articles:


All Articles