Google "hostedDomain" not working

[iamso]

Steps to reproduce

• Install the new feathers-cli with npm install feathers-cli -g
• generate an app with feathers generate app
• generate authentication with feathers generate authentication
• set the clientID and clientSecret in config/default.json

Now this works, also adding the scope works. But adding the "hostedDomain" property doesn't seem to work. I've tried the following ways to add it:

"google": {
  "clientID": "your google client id",
  "clientSecret": "your google client secret",
  "successRedirect": "/",
  "hostedDomain": "station.ch"
},

and

"google": {
  "clientID": "your google client id",
  "clientSecret": "your google client secret",
  "successRedirect": "/",
  "permissions": {
    "hostedDomain": "station.ch"
  }
},

The second way used to work in projects created with the old feathers-cli.

Expected behavior

"hostedDomain" is passed in the OAuth request to Google and only allowed email domains can be used.

Actual behavior

All email domains can be used.

System configuration

Module versions (especially the part that's not working):

"body-parser": "^1.17.1",
"compression": "^1.6.2",
"cors": "^2.8.3",
"eslint": "^3.19.0",
"feathers": "^2.1.1",
"feathers-authentication": "^1.2.1",
"feathers-authentication-hooks": "^0.1.0",
"feathers-authentication-jwt": "^0.3.1",
"feathers-authentication-oauth2": "^0.2.4",
"feathers-configuration": "^0.4.1",
"feathers-errors": "^2.6.3",
"feathers-hooks": "^1.8.1",
"feathers-hooks-common": "^3.0.0",
"feathers-mongodb": "^2.8.0",
"feathers-rest": "^1.7.2",
"feathers-socketio": "^1.5.2",
"helmet": "^3.5.0",
"mocha": "^3.2.0",
"mongodb": "^2.2.25",
"passport-google-oauth20": "^1.0.0",
"request": "^2.81.0",
"request-promise": "^4.2.0",
"serve-favicon": "^2.4.2",
"winston": "^2.3.1"

NodeJS version: v7.7.4

Operating System: macOS Sierra

Browser Version: Chrome 57

[iamso]

still nothing? this is a must-have feature for company internal tools!

[marshallswain]

@iamso, I understand you're desire to use this feature. It will be so great to have it working in your applications!

Here's how pretty much everything around here works. As soon as we find a need for something we want to do, we set to work to make it happen. Almost always, the first person with the need does the investigative work within our extremely helpful community to figure out what parts of the API would need to receive updates in order for our feature to work. That's how all of Feathers has been built up to this point. Somebody wanted a feature, and instead of telling the community that they must have this feature, they start figuring out the solution for themselves.

We have written debugging guides to empower all users to be able to identify and find problems in the actual code. The core team all work on huge, stressful, time-intensive projects, and it's very unlikely that we will run into your exact need for a while. I think it's amazing how much we accomplish with as busy as we all are, once you take into account caring for significant others, children, houses, businesses, and other needs.

The bottom line is this: If you want this feature to happen on your schedule, it will require that you identify and find the problem in the code. At that point, it will be much easier for us to use our ridiculously packed schedules to help you fix your problem. If you don't want to participate in the community the same way as the rest of us, please feel free to continue to post your needs. In all reality, however, we just won't address them until our needs match yours. :wink:

[iamso]

hey @marshallswain, I have traced it back to this line https://github.com/feathersjs/feathers-authentication/blob/master/src/express/authenticate.js#L24, when I do options.hostedDomain = 'domain.tld'; before the call, it works. But so far I haven't been able to find out where the function is called and how to pass that option to that function. Maybe you have some pointers?

[sivinnguyen]

@iamso By using hostedDomain options only prevents another domains from display. Users still log in with all domains. You should use Verifier option https://github.com/feathersjs/feathers-authentication-oauth2#customizing-the-verifier to restrict domain.

BTW, I'm looking for the way that make hd option work too.

[iamso]

@sivinnguyen thanks for the hint. I'll look into the Verifier, but would still be nice to have the hostedDomain option.

Let me know if you make any progress.

[ekryski]

@iamso how are you configuring your OAuth2 plugin? If you are not passing in your config explicitly when configuring the OAuth2 plugin then you might be running into this bug. https://github.com/feathersjs/feathers-authentication-oauth2/issues/23

[iamso]

@ekryski it seems to be working, everything from the config is passed to the plugin correctly. but it just doesn't do anything with the hostedDomain option. the options from the config are only passed during initialization of the auth plugin, but the hostedDomain option must be passed here https://github.com/feathersjs/feathers-authentication/blob/master/src/express/authenticate.js#L24 to actually work. you can try it by adding this options.hostedDomain = 'domain.tld'; right before that line.

this is the config:

{
  "host": "localhost",
  "port": 3030,
  "public": "../public/",
  "paginate": {
    "default": 10,
    "max": 50
  },
  "authentication": {
    "secret": "...",
    "strategies": [
      "jwt"
    ],
    "path": "/authentication",
    "service": "users",
    "jwt": {
      "header": {
        "type": "access"
      },
      "audience": "https://yourdomain.com",
      "subject": "anonymous",
      "issuer": "feathers",
      "algorithm": "HS256",
      "expiresIn": "1d"
    },
    "google": {
      "clientID": "...",
      "clientSecret": "...",
      "successRedirect": "/",
      "scope": [
        "profile openid email"
      ]
    },
    "cookie": {
      "enabled": true,
      "name": "feathers-jwt",
      "httpOnly": false,
      "secure": false
    }
  },
  "mongodb": "mongodb://localhost:27017/project"
}

I have tried adding the hostedDomain option in different places, but nothing worked.

[VictorKilo]

@iamso The passport-google-oauth20 module provides the Strategy class used for Google Authentication. In particular, the Strategy.authorizationParams(options) method handles the Google Parameters by filtering through the given options object. In order to pass in the hostedDomain directive, you just need a way to provide that option value to the Strategy.

Until a pull request can be merged with this repo, I think your best option is to just extend the Strategy.authorizationParams() method. This can be done far more elegantly, but here's some code that appears to work well, albeit with minimal testing.

const auth = require('feathers-authentication');
const oauth2 = require('feathers-authentication-oauth2');
const GoogleStrategy = require('passport-google-oauth20').Strategy;

module.exports = function () {
  const app = this;
  const config = app.get('auth');
  const optionsToPassIntoAuthParams = {
    hd: 'yourdomain.com'
  };

  class GoogleStrategyWithAdditionalAuthParams extends GoogleStrategy {
    authorizationParams (options) {
      // Merge any extra options that you might want here, including `hd`
      options = Object.assign(options, optionsToPassIntoAuthParams);
      // Call the original method with the extra options added
      return super.authorizationParams(options);
    }
  }

  app.configure(auth(config));
  app.configure(oauth2({
    name: 'google',
    clientID: '...',
    clientSecret: '...',
    scope: [ 'profile', 'email', 'openid' ],
    Strategy: GoogleStrategyWithAdditionalAuthParams
  }));
};

This will, of course, need to be paired with a custom Verifier. I have done so by extending the provided Verifier with a number of validation methods.

[nsainaney]

Doesn't the fix for issue #41 also fix this?

[daffl]

Indeed, it should. Released in v0.3.0