Restrict OAuth access to specific email domain

[georgevarghese185]

What I'm trying to achieve is something similar to Issue #57. I'd like to allow my users to login with Google but restrict access to our G suite domain.

I was considering just forking the repo and adding a step in the login flow that checks if the user's email domain matches a domain passed to loginsrv as an optional config variable. But before I do that, I just thought I'd ask and see if this feature sounds like something generic enough that it could be useful for everyone.

In the Issue linked above, it was mentioned that this restriction could be added by configuring caddy in a certain way.. but we aren't using caddy so I was hoping this check could be added to the loginsrv service itself.

Let me know what you think. I could possibly create a PR if it's a welcome feature. If it seems out of scope, I'll close this issue

[g-w]

Maybe the best currently supported approach is to allow login for all google users and add a users file to give certain claims only to the users of your domain. In the code that authorizes the user through the JWT you only have to check the claims part of the token.

[georgevarghese185]

Yeah, I suppose something like that could work for my use case. So then I just have to modify the token verification code in my fork of the repo to assert a known claim for @mycompany.com users and reject any users that don't have that claim.

[g-w]

There should be no need to fork loginsrv. It is no problem if somebody can authenticate to your application, if he isn't authorized to do anything. Simply verify the JWT in the http handlers of your application (or in a filter) and you are done. This has to be done either way.

@georgevarghese185 I will close this issue.