1

I'm trying to understand how to limit access to my application when using this Python Oauth2.0 example. I've seen places where you can add an hd=domain.com to the end of an authorize_url but that doesn't work for me.

Can anyone shed some light on how to limit access to my flask app based on this example? https://github.com/mitsuhiko/flask-oauth/blob/master/example/google.py

dirty_joker
  • 179
  • 8

1 Answers1

2

So I can answer this myself. When building the google object the 'hd' param should be added as such. 

google = oauth.remote_app('google',
                      base_url='https://www.google.com/accounts/',
                      authorize_url='https://accounts.google.com/o/oauth2/auth',
                      request_token_url=None,
                      request_token_params={'scope': 'https://www.googleapis.com/auth/userinfo.email',
                                            'response_type': 'code',
                                            'hd':'domain.com'},
                      access_token_url='https://accounts.google.com/o/oauth2/token',
                      access_token_method='POST',
                      access_token_params={'grant_type': 'authorization_code'},
                      consumer_key=GOOGLE_CLIENT_ID,
                      consumer_secret=GOOGLE_CLIENT_SECRET)
dirty_joker
  • 179
  • 8
  • Seems like this way of using hd parameter is discouraged: https://developers.google.com/identity/protocols/oauth2/openid-connect#hd-param The hd (hosted domain) parameter streamlines the login process for G Suite hosted accounts. … Don't rely on this UI optimization to control who can access your app, as client-side requests can be modified. Be sure to validate that the returned ID token has an hd claim value that matches what you expect (e.g. mycolledge.edu). Unlike the request parameter, the ID token hd claim is contained within a security token from Google, so the value can be trusted. – Marcin Pietraszek Aug 03 '21 at 06:41