How to restrict OpenID login to one Google Apps Domain on GAE (again)

StackOverflow https://stackoverflow.com/questions/14637137

Question

I want to restrict login to a python application running on Google App Engine to members of a particular Google Apps Domain using OpenID.

According to the thread How limit Google Federated Login to specific Apps domain? this could be accomplished by simply substitution the ordinary google openid autentication url

https://www.google.com/accounts/o8/id

with

https://google.com/accounts/o8/site-xrds?hd=example.com

This does however not seem to work using users.create_login_url() in GAE for Python. It throws a 500 server error that is not shown in the google app engine log (the log only shows the redirect and the "OpenID" from logging.debug).

Does anyone have any suggestions on how to fix this?

app.yaml

application: example
version: 1
runtime: python27
api_version: 1
threadsafe: yes

handlers:
- url: /_ah/login_required
  script: main.app

- url: .*
  script: main.app
  login: required

main.py:

import webapp2, logging
from google.appengine.api import users

# Any google account, works like a charm
#federated_identity='https://www.google.com/accounts/o8/id'

# only accounts under spefific domain, does not work
federated_identity='https://google.com/accounts/o8/site-xrds?hd=example.com'

dest_url = 'http://example.appspot.com/'

class Main(webapp2.RequestHandler):
    def get(self):
        logging.debug('Main')
        user = users.get_current_user()
        if user:
            self.response.out.write('Hello %s<p>[<a href="%s">log out</a>]' %  (user.email(),
                    users.create_logout_url(self.request.uri)))
        else:
            self.response.out.write('Not logged in')

class OpenID(webapp2.RequestHandler):
    def get(self):
        logging.debug('OpenID')
        login_url = users.create_login_url(dest_url=dest_url,
            federated_identity=federated_identity)
        self.redirect(login_url)

app = webapp2.WSGIApplication([
    ('/_ah/login_required', OpenID),
    ('/', Main)
], debug=True)

Update
Sebastian suggests that a solution might be to url encode the federated identity. I tried url encoding the whole url or only the question mark as suggested. Unfortunately this does not change anything. The redirect urls as shown in the browser address bar or if written to log:

No url encoding:
http://example.appspot.com/_ah/login_redir?claimid=https://google.com/accounts/o8/site-xrds?hd=example.com&continue=http://example.appspot.com/

With url encoding:
http://example.appspot.com/_ah/login_redir?claimid=https%3A%2F%2Fgoogle.com%2Faccounts%2Fo8%2Fsite-xrds%3Fhd%3Dexample.com&continue=http://example.appspot.com/

Was it helpful?

Solution

I think (I haven't tested this myself) that the issue is because the federated_identity is not encoded. Try replacing the question mark with %3F. Also make sure the url

https://google.com/accounts/o8/site-xrds?hd=example.com

works.

The test I did was to go to the url

http://testsk2012.appspot.com/_ah/login_redir?claimid=https://www.google.com/accounts/o8/site-xrds%3Fhd=somesite.com&continue=http://testsk2012.appspot.com/

and it succeeded.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top