Reputation: 3189
Google API - allow connections only with Google Apps Domain
Is it possible to allow a client to connect to the API ONLY with a google apps domain email address? Users often have their own gmail session active and we need to ensure that they can only connect to the api using our Google Apps Domain email.
For now the only solution has been that we disconnect them when they return from the auth steps if their email address doesnt contain our domain, with an error message telling them they need to follow the steps again using their [domain].com email address, which is far less than ideal. Can the domain be specified somewhere in the scopes or api console for example?
[Google API PHP Client]
Upvotes: 1
Views: 782
Answers (1)
Reputation: 3189
I found a hacky solution, describing briefly for those who may need smth similiar:
If you add the login_hint parameter with the email address (in this case with Google Apps account, with our own domain) it bypasses the initial login page and if any other google sessions are available bypasses them as well. I didn't find this behavior described in the documentation, nor did I find the ability to add this parameter in the google-api-php-client. I added a method in the Google_Client.php file to allow the ability to add the login_hint parameter:
public function setLoginHint($loginHint) {
global $apiConfig;
$apiConfig['login_hint'] = $loginHint;
self::$auth->login_hint = $loginHint;
}
And the parameter to the authenticate method in Google_Oauth2.php:
$request = Google_Client::$io->makeRequest(new Google_HttpRequest(self::OAUTH2_TOKEN_URI, 'POST', array(), array(
'code' => $code,
'grant_type' => 'authorization_code',
'redirect_uri' => $this->redirectUri,
'client_id' => $this->clientId,
'client_secret' => $this->clientSecret,
'login_hint' => $this->loginHint
)));
Then I can call the method using the user's Google Apps email address during authentication:
$client->setLoginHint("[email protected]")
If there was something built in that I didnt find in the docs or searches please let me know. By the way, I thought Google API guys were keeping an eye on SO for questions such as these, echo echo...
Upvotes: 1
Related Questions
- Restricting Google API Server to server service account key to be used with specific domains
- Google Api Service Account Authorization
- Restrict Google+ Sign-In to specific Apps Domain
- Google Oauth2.0 with Python: How do I limit access to a specific domain?
- Google client API - limit oauth authentication to my domain
- How to restrict API access to limited domains names?
- Using Google authentication API with PHP
- How to authorize Google app on an API Project in a specific domain
- google oauth authentication
- API Security: how to restrict access by domain?