Currently this module creates a user account for all logins via Google. There are some circumstances where this is not desirable. We have an internal (intranet) site which we would like to restrict to specific domains. We might later wish to open this site to the internet, but still restrict access, possibly even to specific users.

We also have a problem where users have multiple Google accounts eg a work account and a personal account. They can too easily sign in with their personal account when they mean to sign in with their work account.

In the first case we would like to be able to whitelist domains. We would also like the option to whitelist particular google accounts.

Superficially, it seems that this could be achieved only after the user has authenticated to google, and their details passed back to Drupal. I could attempt myself if pointed in the right direction.

Comments

sadashiv’s picture

Hi,

What you mean by "restrict to specific domains". For restricting account creation I think we need one more hook which gets invoked before creating the account which can then be implemented by a custom module and we can write any business use-case and return whether the account should be created or not.

Thanks,
Sadashiv.

Brian Chamber of Secrets’s picture

Hello,

I managed to track down what looks like the appropriate code to modify in ./modules/gauth/gauth_login/gauth_login.module. I inserted a check which is carried out after authentication to Google, against the returned email address's domain. It appears to work ok. It should theoretically be secure since it relies on data returned direct from Google and checks only on server side.

At the moment, I have the domains stored in an array, so is not so friendly to modify. I inserted just before code which creates account, which I wrapped in an else.

   $email_domain = substr(strrchr($info['email'], "@"), 1);
        $allowed_domains = array('domain1.com', 'domain1.com.au');
        if ( ! in_array ($email_domain, $allowed_domains) ) {
        drupal_set_message(t("Access is restricted to Authorised staff"), 'warning');
        }
        

        else {

Then standard code is inside the else starting with the lines:

        $user = new stdClass();
        $user->mail = $info['email'];

and ending with

        $account['uid'] = $user->uid;
        drupal_write_record('gauth_accounts', $account);

And close the else.

The net result is that if the domain for the returned email address is not in the array, then it throws a warning and does not create the account. Not perfect, but it works for me.

Kind regards,

brack11’s picture

There is more appropriate way: edit gauth/gauth_login/gauth_login.module function - gauth_login_user_login_submit on line about 165 there is variable $url change this:

$url = 'https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=' . $GLOBALS['base_url'] . '/gauth/response_handler&client_id=' . variable_get('gauth_login_client_id') . '&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&access_type=offline&state=' . $_SESSION['gauth_login_state'];

into this:

$url = 'https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=' . $GLOBALS['base_url'] . '/gauth/response_handler&client_id=' . variable_get('gauth_login_client_id') . '&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&access_type=offline&hd=yourdomain.com&state=' . $_SESSION['gauth_login_state'];

You can see I just add &hd=yourdomain.com to make only calls from this domain accepted. It is documented here: https://developers.google.com/accounts/docs/OAuth2Login#hd-param

alienseer23’s picture

is this going to be integrated into the main module, or is altering the module the only way to achieve this? Can anyone verify that the suggested solution work?

Brian Chamber of Secrets’s picture

I can confirm my method works, as I am using it. The second method likely works also, although I cannot see a way to limit to multiple specified domains (one of my requirements) without doing multiple calls.

augbog’s picture

Hey so the solutions here work but just wondering if anyone knows how to customize/get by the nasty error message that is shown to users? I end up getting an Error 400 page that says invalid_request.

The worst part is that it also has a tab that says Request Details (likely for debgugging purposes) that shows my clientid which is not good... Anyone know how to go about this?

greggles’s picture

Title: Need to restrict account logins and creations to known domains/users » Allow admins to restrict account logins and creations to known domains/users
Issue tags: -#security +access control

Retitling - features are not needs ;)

Removing an issue tag that doesn't seem directly relevant.

sadashiv’s picture

Status: Active » Closed (fixed)

This is fixed in the commit at 12847d4

I still recommend to read #4 and #6 https://www.drupal.org/node/2321405 before enabling this feature and test it before implementing on production.

Thanks,
Sadashiv.