I am trying to use open id in my application and I have done it successfully with DotNetOpenId.
Now, Google provides service for email and others under the domain of the companies. (Like example@acompany.com). Is there a way to narrow down the authentication to users of a company only?
I know I can do it simply by checking the email address from the response. But I do not think this is a good idea. Its better if the user is NOT authenticated by Google accounts other than that of acompany.com.
Please note that I DONOT know the inside logic of Open Authentication or DotNetOpenId.
By default Google's openId request prompts https://accounts.google.com/ServiceLogin?...
I can manually change it (in the browser) to https://accounts.google.com/a/iit.du.ac.bd/ServiceLogin?... and it works (iit.du.ac.bd is my school's domain)
I have tried to create request with
Identifier id1 = Identifier.Parse("https://www.google.com/a/iit.du.ac.bd");
Identifier id2= Identifier.Parse("https://www.google.com/a/iit.du.ac.bd/accounts/o8/id");
var openid = new OpenIdRelyingParty();
IAuthenticationRequest request1 = openid.CreateRequest(id1);
IAuthenticationRequest request2 = openid.CreateRequest(id2);
Google's identifier is https://www.google.com/accounts/o8/id"
Just found google-apps-openid-url
Your hesitation on using email addresses as your filter is absolutely correct. Follow you instinct. :)
You should filter on OP Endpoint. This will not only assure you that Google is the Provider, but Google has a dedicated OP Endpoint for each individual domain, so you can check that.
IAuthenticationResponse response = relyingParty.GetResponse();
if (response != null) {
if (response.Provider.Uri.AbsoluteUri == "http://google.com/o8/....?domain=yourcompany.com") {
// Allow it
} else {
// Disallow it
}
}
Something like that. You'll have to test to see what the actual URI is for the case you're expecting.