Add Google Hosted Domain support

perrybutler / WP-OAuth

A WordPress plugin that allows users to login or register by authenticating with an existing Google, Facebook, LinkedIn, Github, Reddit or Windows Live account via OAuth 2.0. Easily drops into new or existing sites, integrates with existing users.

GNU General Public License v2.0

97 stars 76 forks source link

Add Google Hosted Domain support #28

Closed michaelbragg closed 5 years ago

michaelbragg commented 9 years ago

Hosted Domain is used to limit access to Google accounts from a specified domain.

Add hosted domain option to administration page
Add HD parameter to Google API call

screen shot 2015-03-29 at 11 41 28

I've tested this in our corporate environment. May need some more testing as our setup handles failed login's slightly different to the normal Google process.

cdwiegand commented 7 years ago

This doesn't validate that the login is actually coming from the hd domain, however. An attacker could just take the hd=XXX.com out of the URL and then they'd be able to access using their own google account. I like the idea, though.

michaelbragg commented 7 years ago

Thanks @cdwiegand, how would you recommend addressing this?

Would this be done before WordPress creates the user? Or is there a better point to conduct the validation of the domain?

cdwiegand commented 7 years ago

I haven't fully looked through the code, but I'm thinking in wpoa_login_user you'd have to re-check that if the get_option('wpoa_google_api_hd') setting isn't blank that the user's email ends with "@" and then that setting, ideally case insensitive.