Whitelist for ASP.NET MVC w/ Google OAuth Login

Question

Is it possible, with the boilerplate Google OAuth code a fresh MVC project generates, to restrict the users who can create accounts.

i.e. as standard anyone with a Google account can create an account on the website. I want to restrict account creation to a pre-authorised list of email addresses - effectively a whitelist.

Before I write any custom code, is this requirement facilitated in the standard, out-of-the-box login framework?

Answer 1

I did this by changing these two lines in the boilerplate AccountController (forgive the rough code),

Old:

            var user = new ApplicationUser { UserName = model.Email, Email = model.Email, Hometown = model.Hometown };
            var result = await UserManager.CreateAsync(user);

New:

            var user = new ApplicationUser { UserName = info.Email, Email = info.Email, Hometown = model.Hometown };
            IdentityResult result = null;
            if (!allowedUsers.Contains(info.Email))
            {
                result = IdentityResult.Failed("User is not in permitted list");
            }
            else
            {
                result = await UserManager.CreateAsync(user);
            }

Also, the (at first commented-out) OAuth stuff in Startup.Auth does not request email addresses, so you'll need to add this Scope bit as well - otherwise info.Email will be null:

        app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
        {
            ClientId = "",
            ClientSecret = "",
            Scope = { "email" }
        });

Each OAuth provider has different scope items, e.g., Microsoft names email "wl.emails" when using Scope in MicrosoftAccountAuthenticationOptions.