Allow/deny access for Google accounts based on hosted domain

[lucasgao]

Hi. I'm trying to Registering an auth with the application where only users of specific Google hosted domain are allowed. Others are supposed to be denied.

So when auth.getSession(); It going to the https://xxxx.auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=xxxxxxxxxxx&redirect_uri=localhost:4200 will list all your google email account, is there any config or any way to only allow specific test@allowtologin.com google email to auth and deny the test@denytologin.com google email?

Thanks

[lucasgao]

The Google OAuth flow accepts an extra "hd" (hosted domain) parameter to state which domain is allowed to login. Only accounts from that domain will show up on the account selector, and in the event that no account from that domain is available, the UI will hint which accounts are allowed and will forbid logins from any other domain.

Google Auth: Can you guys add "hd" parameter in the request @yuntuowang ?

Thanks!!!!!!

[yuntuowang]

Hi @lucasgao, based on your use case, I suggest you to use ourAWS Lambda Triggers to customize User Pool Workflows. You can use Pre sign-up trigger to block sign up of certain gmail accounts; You can use Pre authentication trigger to block sign in of certain gmail accounts;

Depends on your use case, you have many options, details here: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

[jlobera]

Don't know if applies but google always checks a header named "X-GoogApps-Allowed-Domains" which you can insert with your allow domain.

Like in this mcafee kb;

https://kc.mcafee.com/corporate/index?page=content&id=KB72538

[annjawn]

@yuntuowang care to share some more details on how to "block" users from registering to the user pool. I have read the documentation link you have provided multiple times and there is no mention or clear instructions on how to deny. I have also tested the Pre Signup lambda for Federated as well as pool users but there is no clear cut way to deny registration. Also mix that with Amplify and there is simply no way. My use case is simple, I have User Pool SAML App with onelogin, i maintain a list of authorized users in DynamoDB, if the user is there in DD they can access the app otherwise they should be denied registration. This is my Pre SIgnup Lambda

exports.handler = async (event) => {
    console.log("Event is = ", event);
    if(event.triggerSource === 'PreSignUp_ExternalProvider'){    
       // ......code to  Check if user is in DynamoDB and initialize valid = true | false
       if(valid){
        var error = new Error("You do not have permission to access this app.");
        return error;
        }else{
           return event;
       }
    }
    return event;    
};

This kind of works somewhat since the user is actually blocked from registering atleast on the User pool side but I am not sure if return error is good idea neither is return {}, returning an error or {} throws the Amplify Auth.configure() method into a tailspin on the client side and gives me an error Invalid version. Version should be 1.

[valeeum]

@annjawn

you need to throw the error, not return it.

[arekko]

I have the same problem, when I throw the error, I get back to my client [ERROR] 05:48.627 OAuth - Error handling auth response. Error: PreSignUp+failed+with+error+%5Bobject+Object%5D and I have no idea how to handle this error.

[valeeum]

@arekko

are you using promises via async function modifier? if so, you would throw the error. If not, use the callback approach.

[arekko]

@valeeum I am using this kind of callback inside my lamda function with pre signup trigger

const error = new Error(ERROR_MESSAGE);
callback(error, event)

It correctly validate registration when I am trying to register with email and password, I get back the object with error message, with cognito google federated it prevents the user creation but I get the error exception.