Login/Register
MVC4/ Google OpenID limit to specific Google Apps Domain(s)
Asked Answered
c#asp.net-mvcopenidsimplemembership
S

1

15

I created a new MVC4/.NET4.5 project and enabled Google OpenID. This worked, shockingly easily.

My company has "gone google" and our domains/ employee identities are in the Google Apps webspace.

How can I allow only our Google Apps domains to authenticate to my new website? I'm hoping it's a simple thing like the authentication piece was.

Here is some additional information:

  • I literally created a default web application and enabled the Google Authentication piece. I could not believe how simple it was to validate against Google.
  • My company has literally hundreds of email domains, all rolled up under one email domain "umbrella". For example, my company's corporate email domain name is "foo.com", but under this we have "x.foo.com", "bar.com", and "yomommasougly.net". All of these are part of the "foo.com" Google Apps domain.
  • The ultimate goal is, a description of what needs to be done (and where) to take this default application and restrict it to all domains under the "foo.com" domain.
  • With hundreds of domains, and more being added all the time, it is not practical to specify every domain explicitly.
Schlosser answered 23/4, 2013 at 17:53 Comment(2)
No takers, huh? Guess it's not so simple after all.Schlosser
Not a direct answer, but part of the problem might lay with using the OpenID provider that ships with MVC4. You might consider using my OAuth2 provider instead. At least then you can secure it with an API key and pass scope parameters.Lactoscope
P
2

Assuming you're using DotNetOpenAuth check out the authentication code for the Stack Exchange Data Explorer.

Essentially, you just ask for the e-mail address with your request: 

request.AddExtension(
    new ClaimsRequest
    {
        Email = DemandLevel.Require,
    }
);

Then check the returned address against your domain whitelist (I'm assuming you're already only accepting google OpenIDs)

var sreg = response.GetExtension<ClaimsResponse>();
If (!HasWhiteListedDomain(sreg.Email)) { 
    // Fail Here
}

Note that these bits of code need to be added to your Web.config to get the exact code for fetching the e-mail above working:

  <configSections>
    <section name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection" requirePermission="false" allowLocation="true" />
  </configSections>
  <dotNetOpenAuth>
    <openid>
      <relyingParty>
        <behaviors>
          <!-- The following OPTIONAL behavior allows RPs to use SREG only, but be compatible
                    with OPs that use Attribute Exchange (in various formats). -->
          <add type="DotNetOpenAuth.OpenId.Behaviors.AXFetchAsSregTransform, DotNetOpenAuth" />
        </behaviors>
      </relyingParty>
    </openid>
  </dotNetOpenAuth>

Edit:

If using OAuthWebSecurity getting the e-mail will just look something like this:

var userDataFromProvider = result.ExtraData;
var email = userDataFromProvider["email"];

Source

Piercing answered 29/4, 2013 at 21:52 Comment(6)
Well, I can get authentication to fail using a google apps domain using this code in place of OpenAuth.AuthenticationClients.AddGoogle() That's... something. OpenAuth.AuthenticationClients.Add("Google Apps", (() => (IAuthenticationClient)new OpenIdClient("example", "google.com/accounts/o8/site-xrds?hd=example.com")));Piercing
I mention the above code in case my google apps domain is denying logins because it's configured to... It may work for someone who actually has access to tinker with their settings :)Piercing
MVC4 uses OAuthWebSecurity, which looks like it's probably DotNetOpenAuth under the covers, but I cannot see where I would inject the code you are referencing.Schlosser
Oh, that's a strange difference. I suspect you'd be replacing OAuthWebSecurity.RegisterGoogleClient(); with something similar. I'll try an MVC project instead of ASP.NET Forms. Derp.Piercing
I can reproduce the scenario in MVC, but unfortunately get the same error but it's not really an easy one to trace. Here's a gist of the 2 relevant files if you want to mess around: gist.github.com/mootinator/5498478Piercing
no luck, I have checked our environment and we are explicitly allowing OpenID for our Google Apps domain. This code seems to be along the right track though.Schlosser

© 2022 - 2024 — McMap. All rights reserved.