Additional auth url parameters

Question

Additional auth url parameters

highstrike opened this issue 7 years ago · 3 comments

Hello,

Using Google as provider on OAuth2, I have a situation where I would like to restrict the domain of the google account that is signing in and this can be done by adding an additional parameter called hd.
See here

Currently, I cannot add custom parameters unless i append them to the string that was generated by makeAuthUrl() which seems like a missed opportunity.

I was thinking maybe adding a parameter to that makeAuthUrl() function which would be in the form of an array of additional url parameters that would be merged with the default provider parameter array taken from getAuthUrlParameters

OR, even better, the additional parameters could be defined in the configuration part for example

'provider' => [
    'google' => [
        'parameters' => [
            'hd' => 'domain.tld',
        ],
        'applicationId' => '12345xyz',
        'applicationSecret' => '9876abc',
        'scope' => [
            'https://www.googleapis.com/auth/userinfo.email',
            'https://www.googleapis.com/auth/userinfo.profile',
        ],
    ],
],

Because I am using the cake package provided by @ADmad, changing the makeAuthUrl() function would mean updates to his library as well, assuming he would accept them. If the additional parameters are defined in the configuration part then no changes would be needed in any package because it would be native :)

Thanks

Answer 1 · 2018-01-22T17:17:24.000Z

Based on the google docs the hd param only seems to deal with UI optimization. It actually states: Don't rely on this UI optimization to control who can access your app.

So it doesn't "restrict the domain of the google account that is signing in" like you / SO poster claims.

Regardless, having a way to customize the auth URL and setting additional params would be nice.

Answer 2 · 2018-01-22T18:25:41.000Z

So it doesn't "restrict the domain of the google account that is signing in" like you / SO poster claims.

Thank you for your concerns @ADmad.

Yes, the hd param is a frontend optimization as it provides a way for google to display a new sign in page in case you're logged in with your personal gmail account for example.

And, of course, additional checks need to be made server side to ensure people don't just take the hd parameter out of the url and actually breach your system.

Answer 3 · 2018-05-13T02:40:06.000Z

I am implemented a solution to fix this problem, but this will be released in 2.0.0 😸

configuration will be

        'google' => array(
            'applicationId' => '',
            'applicationSecret' => '',
            'scope' => [],
            'options' => [
                'auth.parameters' => [
                    'hd' => 'domain.tld',
                ]
            ]
        ),