Firebaseui-web: Limit Google authentication to one Apps domain?

Created on 22 Dec 2017 · 5Comments · Source: firebase/firebaseui-web

I have successfully used firebaseui to allow people to sign in to an app via Google. By default this would appear to allow anyone from any domain to sign in. Is there some way to only allow people from our Google Apps domain to authenticate successfully and stop people from any other domain from authenticating?

Source

MichaelFromin

Most helpful comment

Since this issue came up on Google when I was trying to solve a similar problem, I thought it would be helpful to share the Firestore rules I ended up using. I combined this with something based on @bojeil-google's answer and client-side validation of the logged in user's email address to show an error message if they manage to bypass the login prompt encouraging you to use your mycompany.com google account.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /tasks/{document} {
      allow read: if true
      allow create: if request.auth.uid == request.resource.data.user 
        && request.auth.token.email.matches(".*@mycompany.com");
      allow update, delete: if request.auth.uid == resource.data.user;
    }
  }
}

mensly on 16 Aug 2019

👍5

All 5 comments

Yes, you need to pass the hd parameter:

ui.start('#firebaseui-auth-container', {
  signInSuccessUrl: '<url-to-redirect-to-on-success>',
  signInOptions = [
    {
      provider: firebase.auth.GoogleAuthProvider.PROVIDER_ID,
      scopes: [
        // Your requested scopes.
        'https://www.googleapis.com/auth/plus.login'
      ],
      customParameters: {
        // Forces account selection even when one account
        // is available.
        hd: 'mydomain.com'
      }
    }
  ]
});

bojeil-google on 22 Dec 2017

👍4

Hi @MichaelFromin @bojeil-google , pass hd parameter does solve the issue by display the domain name at the end of the email field. But users still can type @gmail to remove the hd domain display, causes gmail itself available to login also.

signInOptions: [
   // TODO(developer): Remove the providers you don't need for your app.
  {
      provider: firebase.auth.GoogleAuthProvider.PROVIDER_ID,
      customParameters: { hd: 'abel.com' },
      // Required to enable this provider in One-Tap Sign-up.
      authMethod: 'https://accounts.google.com',
      // Required to enable ID token credentials for this provider.
     clientId: CLIENT_ID
   }
 ]

abelchun39 on 21 Feb 2018

👍2

That is true. A user can override this. Google allows it and there is nothing we can do about it. What you can do is enforce this in your rules (Firebase rules or ID token verification if you are using your own server). You can block access to resources if the email in the ID token claims ends with anything other than @yourdomain.com.
You can also show an error message when they complete sign-in (after checking the returned email's domain) and delete the user on the client side, though this is not enough and you should enforce in the backend.

bojeil-google on 21 Feb 2018

👍5

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /tasks/{document} {
      allow read: if true
      allow create: if request.auth.uid == request.resource.data.user 
        && request.auth.token.email.matches(".*@mycompany.com");
      allow update, delete: if request.auth.uid == resource.data.user;
    }
  }
}

mensly on 16 Aug 2019

👍5

I found a working solution now. Once you put your Firebase/Google Cloud project under an organization and set up Google Authentication for Firebase, you can go to https://console.cloud.google.com/apis/credentials/consent and mark your application as Internal.