[Google-api] Restrict Login Email with Google OAuth2.0 to Specific Domain Name


When defining your provider, pass in a hash at the end with the 'hd' parameter. You can read up on that here. https://developers.google.com/accounts/docs/OpenIDConnect#hd-param

E.g., for config/initializers/devise.rb

config.omniauth :google_oauth2, 'identifier', 'key', {hd: 'yourdomain.com'}

I can't seem to find any documentation on how to restrict the login to my web application (which uses OAuth2.0 and Google APIs) to only accept authentication requests from users with an email on a specific domain name or set of domain names. I would like to whitelist as opposed to blacklist.

Does anyone have suggestions on how to do this, documentation on the officially accepted method of doing so, or an easy, secure work around?

For the record, I do not know any info about the user until they attempt to log in through Google's OAuth authentication. All I receive back is the basic user info and email.

In your passport.use callback you can perform additional checking based on the domain of the primary email address (or whatever you are checking):

if (profile.emails[0].split('@')[1] !== authorizedDomain) {
    return done(null, false);

Client Side:

Using the auth2 init function, you can pass the hosted_domain parameter to restrict the accounts listed on the signin popup to those matching your hosted_domain. You can see this in the documentation here: https://developers.google.com/identity/sign-in/web/reference

Server Side:

Even with a restricted client-side list you will need to verify that the id_token matches the hosted domain you specified. For some implementations this means checking the hd attribute you receive from google after verifying the token.

Full Stack Example:

Web Code:

gapi.load('auth2', function () {
    // init auth2 with your hosted_domain
    // only matching accounts will show up in the list or be accepted
    var auth2 = gapi.auth2.init({
        client_id: "your-client-id.apps.googleusercontent.com",
        hosted_domain: 'your-special-domain.com'

    // setup your signin button
    auth2.attachClickHandler(yourButtonElement, {});

    // when the current user changes
    auth2.currentUser.listen(function (user) {
        // if the user is signed in
        if (user && user.isSignedIn()) {
            // validate the token on your server,
            // your server will need to double check that the
            // `hd` matches your specified `hosted_domain`;
                .then(function () {
                .catch(function (err) {
                    auth2.then(function() { auth2.signOut(); });

Server Code (using googles Node.js library):

If you're not using Node.js you can view other examples here: https://developers.google.com/identity/sign-in/web/backend-auth

const GoogleAuth = require('google-auth-library');
const Auth = new GoogleAuth();
const authData = JSON.parse(fs.readFileSync(your_auth_creds_json_file));
const oauth = new Auth.OAuth2(authData.web.client_id, authData.web.client_secret);

const acceptableISSs = new Set(
    ['accounts.google.com', 'https://accounts.google.com']

const validateToken = (token) => {
    return new Promise((resolve, reject) => {
        if (!token) {
        oauth.verifyIdToken(token, null, (err, ticket) => {
            if (err) {
                return reject(err);
            const payload = ticket.getPayload();
            const tokenIsOK = payload &&
                  payload.aud === authData.web.client_id &&
                  new Date(payload.exp * 1000) > new Date() &&
                  acceptableISSs.has(payload.iss) &&
                  payload.hd === 'your-special-domain.com';
            return tokenIsOK ? resolve() : reject();

passportjs authentication using google apps email id

Your code is missing some vital parts:

passport.use(...); // this you have

// these are required as well.

// please read docs for the following two calls
passport.serializeUser(function(user, done) {
  done(null, user);

passport.deserializeUser(function(obj, done) {
  done(null, obj);

With those in place, I can log in using my Google App address just fine.

EDIT: it only works with Node 0.8 though, Node 0.10 gives an error. I think using passport-google-oauth is a better solution anyway. For that, you have to register your application with Google (here); after registration, you'll be supplied both the GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET codes which you can use.