I want to restrict login to a python application running on Google App Engine to members of a particular Google Apps Domain using OpenID.
According to the thread How limit Google Federated Login to specific Apps domain? this could be accomplished by simply substitution the ordinary google openid autentication url
with
This does however not seem to work using users.create_login_url() in GAE for Python. It throws a 500 server error that is not shown in the google app engine log (the log only shows the redirect and the "OpenID" from logging.debug).
Does anyone have any suggestions on how to fix this?
app.yaml
application: example
version: 1
runtime: python27
api_version: 1
threadsafe: yes
handlers:
- url: /_ah/login_required
script: main.app
- url: .*
script: main.app
login: required
main.py:
import webapp2, logging
from google.appengine.api import users
# Any google account, works like a charm
#federated_identity='https://www.google.com/accounts/o8/id'
# only accounts under spefific domain, does not work
federated_identity='https://google.com/accounts/o8/site-xrds?hd=example.com'
dest_url = 'http://example.appspot.com/'
class Main(webapp2.RequestHandler):
def get(self):
logging.debug('Main')
user = users.get_current_user()
if user:
self.response.out.write('Hello %s<p>[<a href="%s">log out</a>]' % (user.email(),
users.create_logout_url(self.request.uri)))
else:
self.response.out.write('Not logged in')
class OpenID(webapp2.RequestHandler):
def get(self):
logging.debug('OpenID')
login_url = users.create_login_url(dest_url=dest_url,
federated_identity=federated_identity)
self.redirect(login_url)
app = webapp2.WSGIApplication([
('/_ah/login_required', OpenID),
('/', Main)
], debug=True)
Update
Sebastian suggests that a solution might be to url encode the federated identity. I tried url encoding the whole url or only the question mark as suggested. Unfortunately this does not change anything.
The redirect urls as shown in the browser address bar or if written to log:
No url encoding:
http://example.appspot.com/_ah/login_redir?claimid=https://google.com/accounts/o8/site-xrds?hd=example.com&continue=http://example.appspot.com/
With url encoding:
http://example.appspot.com/_ah/login_redir?claimid=https%3A%2F%2Fgoogle.com%2Faccounts%2Fo8%2Fsite-xrds%3Fhd%3Dexample.com&continue=http://example.appspot.com/
I think (I haven't tested this myself) that the issue is because the federated_identity is not encoded. Try replacing the question mark with
%3F
. Also make sure the urlworks.
The test I did was to go to the url
and it succeeded.