This project has moved. For the latest updates, please go here.

Is it possible to limit google authentication to a specific domain?

Nov 22, 2013 at 6:49 AM
I'm working on a small project that should only authenticate users from our google apps domain. I'm trying to use Owin.Security.Google for authentication and it's currently working but it allows any google users in. How can I limit users to my domain?

Nov 22, 2013 at 4:28 PM
I don't think you can do that in advance, but once they have authenticated you can verify the domain on their e-mail address listed in the identity claims.

If you look at GoogleAuthenticationProvider.OnAuthenticated, it looks like you can reset the identity and properties to null if it's not for a user/domain that you want to allow.
Nov 22, 2013 at 4:58 PM
Thank you for your response. Yes, I can try the method you described.

In my research I found that the URL could be changed to include a parameter indicating the domain to be limited. For example: Here, "hd" would specify the domain. Are you familiar with this option? Is this option implemented here?
Marked as answer by Tratcher on 5/21/2014 at 2:21 PM
Nov 22, 2013 at 5:07 PM
Ah, I wasn't aware of that option. The following work item tracks making the challenge URI more extensible. Please add your scenario to those already listed.
Marked as answer by Tratcher on 5/21/2014 at 2:21 PM
Nov 22, 2013 at 5:55 PM
Thanks. I added my scenario.
Jan 19, 2014 at 8:50 PM

The workitem has been marked as resolved, but I can't see a way to implement what mga911 was asking for (which is what I need aswell). Can you confirm this was fixed as well in 2.1.0 RC?
Jan 20, 2014 at 4:14 PM
In 2.1.0-RC1 there is a new event where you can manipulate the redirect URI sent to the client. See GoogleAuthenticationProvider.OnApplyRedirect.
Jan 20, 2014 at 8:32 PM
I've tried using that override, with OnApplyRedirect = context => context.Response.Redirect("<domain>/o8/ud?be=o8"), however it redirects me to a Google page with

"Error: invalid_request

Error in parsing the OpenID auth request."

Do you have a working use case for authenticating against google in this manner? Quite possible I've missed something, as I cant see how the openid context is passed to the URL, unless its under the hood.

Jan 20, 2014 at 8:39 PM
Ignore me... Figured it out.
Marked as answer by Tratcher on 5/21/2014 at 2:21 PM