Restrict login to specific domain using Node Passport with Google Auth

javascript node.js oauth oauth-2.0 passport.js
James Morris picture James Morris · Apr 14, 2014 · Viewed 7.9k times · Source

I am implementing Google Auth on an internal service at work. It is a JS client heavy application with a Node backend. I am choosing to use the Node module Passport.js with the passport-google-oauth strategy.

I have successfully got it working but one thing is still confusing me. I want to ensure my application allows only company employees to login. I understand that you can restrict the login by domain using a parameter called "hd", according to the official documentation.

Firstly, where do you send that parameter in the context of Passport.js? I just don't understand where in the code that is put. If it helps, I have been mostly following the example passport-google-oauth provides.

Secondly, in theory how does this all work? Is it on the Google side, where they reject anyone trying to access the app with a domain outside of our company. Or is it on my side, that I need to check what domain the user is logging in from?

Answer

aembke picture aembke · Apr 15, 2014

Here's an example:

// first make sure you have access to the proper scope on your login route
app.get("/login", passport.authenticate("google", {
    scope: ["profile", "email"]
}));

// set up your Google OAuth strategy elsewhere...
passport.use(new GoogleStrategy({
    clientID: "something",
    clientSecret: "something",
    callbackURL: "/something"
}, function(token, refreshToken, profile, done){
    if(profile._json.hd === "yourdomain.com"){
        // find or create user in database, etc
        User.find({ id: profile.id }).done(done);
    }else{
        // fail        
        done(new Error("Invalid host domain"));
    }
});

And for good measure here's a full variable dump of what the "profile" variable looks like. 

{ 
    provider: 'google',
    id: '12345678987654321',
    displayName: 'Don Draper',
    name: { familyName: 'Whitman', givenName: 'Richard' },
    emails: [ { value: '[email protected]' } ],
    _raw: 'a bunch of stringified json',
    _json: { 
        id: '123456789',
        email: '[email protected]',
        verified_email: true,
        name: 'Don Draper',
        given_name: 'Don',
        family_name: 'Draper',
        link: 'https://plus.google.com/123456789',
        picture: 'https://lh3.googleusercontent.com/XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/123456789/photo.jpg',
        gender: 'male',
        locale: 'en',
        hd: 'yourdomain.com' 
    } 
}

Here are some detailed tutorials that should answer your question about the theory behind all of this. You'll want some combination of the two.

  1. Local authentication and basic setup
  2. Google authentication

Related questions

Is there any Node.js client library to make OAuth and OAuth2 API calls to Twitter, Facebook, Google, LinkedIn, etc.?

I did a lot of googling and the best I could find was: https://github.com/ciaranj/node-oauth Are there any libraries on top of this, which provide wrappers to make API calls to Twitter, Facebook, Google, LinkedIn, etc. to …

Read More
Desktop applications only support the oauth_callback value 'oob'/oauth/request_token

I'm trying to authenticate with OAuth on NodeJS and I'm getting this error: Error getting OAuth request token : { statusCode: 401, data: '\n\n Desktop applications only support the oauth_callback value \'oob\'\n /oauth/request_token\n\n' } Here …

Read More
How do I completely uninstall Node.js, and reinstall from beginning (Mac OS X)

My version of node is always v0.6.1-pre even after I install brew node and NVM install v0.6.19. My node version is: node -v v0.6.1-pre NVM says this (after I install a version of node for the first time …

Read More