I'm trying to restrict access for a google appengine website to accounts of a specific Google Apps-Domain. In the Google Developers Console in app settings, I've already set the authentication method to "Google Apps-Domain" and entered the domain in the format "xxx.com". But when I'm testing this on my local webserver test page that I've set up, Google still lets me sign in with accounts that are not managed by the domain that I configured. Did I miss something? How can I restrict access to accounts of that domain without "manually" (aka doing it on my server) checking for the domain-string in the e-mail address of the user that just logged in to my appengine site?
Extracted from the GAE official docs:
Using Users
The development web server simulates Google Accounts with its own sign-in and sign-out pages. While running under the development web server, the methods that generate sign-in and sign-out URLs return URLs for /_ah/login and /_ah/logout on the local server.
The development sign-in page includes a form where you can enter an email address. Your session uses whatever email address you enter as the active user.
To have the application believe that the logged-in user is an administrator, check the "Sign in as Administrator" checkbox on the form.
In other words, if you see the real Google login form is because you're doing something else than using the plain development server, which, by the way, doesn't have a clue about your settings in the Developers' Console.