1

I am trying passport js with google app email id. I am able to authenticate using gmail.com email id. But how can I authenticate if the email id is a google app id (google.com/a/companyname.com).

This is my code

var express = require('express');
var app = express();
var passport = require('passport');
var GoogleStrategy = require('passport-google').Strategy;

passport.use(new GoogleStrategy({
    returnURL: 'http://10.3.0.52:3000/auth/google/return',
    realm: 'http://10.3.0.52:3000/'
},
function(identifier, profile, done) {
    User.findOrCreate({
        openId: identifier
    }, function(err, user) {
        done(err, user);
    });
}
));

app.get('/auth/google', passport.authenticate('google'));

app.get('/auth/google/return', 
    passport.authenticate('google', {
        successRedirect: '/',
        failureRedirect: '/login'
    }));

app.get('/', function(req, res){
    res.writeHead(200);

    res.end("connected");

});

app.listen(process.env.PORT || 3000);
laggingreflex
  • 32,948
  • 35
  • 141
  • 196
Rajeesh V
  • 402
  • 5
  • 19
  • 1
    I'm using [passport-google-oauth](https://github.com/jaredhanson/passport-google-oauth) (using `OAuth2Strategy`) and I can login using my Google App address just fine. – robertklep Mar 21 '13 at 09:42
  • I edited my code, added my code, for better understanding.. I thing I should use passport-google-oauth. Can you tell what is "GOOGLE_CLIENT_ID" and "GOOGLE_CLIENT_SECRET". – Rajeesh V Mar 21 '13 at 09:49

3 Answers3

2

Your code is missing some vital parts: 

...
passport.use(...); // this you have

// these are required as well.
app.use(passport.initialize());
app.use(passport.session());

// please read docs for the following two calls
passport.serializeUser(function(user, done) {
  done(null, user);
});

passport.deserializeUser(function(obj, done) {
  done(null, obj);
});
...

With those in place, I can log in using my Google App address just fine.

EDIT: it only works with Node 0.8 though, Node 0.10 gives an error. I think using passport-google-oauth is a better solution anyway. For that, you have to register your application with Google (here); after registration, you'll be supplied both the GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET codes which you can use.

robertklep
  • 198,204
  • 35
  • 394
  • 381
  • How can I restrict users login from a particular domain only. Now it is possible to login from 2 different google app ids.(name@abc.com, name2@xyz.com). I want that users in abc.com only sign to the app. Code contains the client id and client secret of abc.com account. – Rajeesh V Mar 21 '13 at 12:03
  • 1
    [This post](http://stackoverflow.com/a/11001585/893780) explains how to do that using certain URL parameters. I'm not sure if it's possible to pass those parameters to Passport, though. – robertklep Mar 21 '13 at 12:43
  • @robertklep Why do you think that `passport-google-oauth` is better, please provide a rationale when suggesting that something is better! As far as I can see there is no benefits and a need to create an app first... – Linus Unnebäck Apr 02 '13 at 15:34
  • @Linus well, for one, `passport-google` doesn't work on Node 0.10 (like I said). Also, Google seems to be pushing OAuth2 instead of OpenID as well for cases like this (signing in with Google credentials). – robertklep Apr 02 '13 at 15:56
1

I have created a method that verifies if the email domain is the one i want to authorize:

UserSchema.method('checkFordomain', function(value) {
    var parts = value.split('@');
    return (parts[1] == 'companyname.com');
});

this is method I put in the model of the user model, using mongoose schema models

if (!user.checkForMMdomain(profile.emails[0].value)) {
    return done();
}

in the callback of the passport google strategy https://github.com/jaredhanson/passport-google-oauth

ZlatiP
  • 185
  • 6
  • This answer is not the right answer for this question. I have asked another question http://stackoverflow.com/questions/15615557/need-to-redirect-to-google-app-email-login-page-instead-of-normal-gmail-login-in. I got the answer too later. In that you doesn't need to validate for app domain in code. – Rajeesh V Apr 01 '13 at 04:19
  • Sweet! Just what I was lookin' for. – Kyle Hotchkiss Apr 07 '14 at 17:30
  • your othe "correct" answer is suggesting to edit the source code of the oauth2.js? Sure i know about the hd parameter, but it wasn't working. So accept the answer. – ZlatiP Feb 14 '19 at 12:03
  • @RajeeshV that was the minimal viable solution until the param is supported. What happens if you try to deploy the app, are you copying the whole node_modules folder instead of npm install? You lose all the modifications in node_modules 3rd party libs. So accept the answer. Plus the support for the hd param is already in the official repo if you update your dependencies. – ZlatiP Feb 14 '19 at 12:10
1

In your passport.use callback you can perform additional checking based on the domain of the primary email address (or whatever you are checking):

if (profile.emails[0].split('@')[1] !== authorizedDomain) {
    return done(null, false);
}
linuxdan
  • 4,476
  • 4
  • 30
  • 41