-
|
If I enable SSO using google, it allows all google accounts to login, I would like to limit valid emails to only those that are part of my Google Workspace Organization. This does not seem to be addressed by django-allauth, which is fair since allauth is Authentication not Authorization and this is a question of which accounts should be Authorized to access the instance. I have searched the docs for limit accounts and limit sso and I have not found anything. Has this been addressed somewhere or is that a feature that has not been implemented? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 13 replies
-
|
@nwns I would block this at the authentication level to be safe. Also please use discussions for questions, issues are more for FRs or bugs - discussions (QA type) are better for our SEO and threading is much more readable there. |
Beta Was this translation helpful? Give feedback.
-
|
@blieb Great, if you have further issues please open a new issue/discussion as it is hard to track already answered discussions |
Beta Was this translation helpful? Give feedback.
-
|
@blieb due to another request I will touch this part of the codebase again so I will implement this to ease this for future users. See #4168 |
Beta Was this translation helpful? Give feedback.
-
Ok nice I will keep an eye on it. The other issue that I had is that I have to enable self signup to allow new users to login via oauth. But I only want users to sign up via oauth not via the sign up form. Would be nice if I can also enable sign up via Single sign on only. Shall I make a FR for that? I can also take a look. Think that is not hard to implement. But I haven't touch this language in years 😆 |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
@matmair oh nice. Was looking for it yesterday but did not find something about it. But this one is new. For now I just blocked the sign up page in Nginx 😆 |
Beta Was this translation helpful? Give feedback.
@nwns I would block this at the authentication level to be safe.
Instead of using the google provider try using open id and add the hosted domain parameter.
Would much prefer to handle things like this in config and not add code for more checks. There are some many ways to get those wrong.
Also please use discussions for questions, issues are more for FRs or bugs - discussions (QA type) are better for our SEO and threading is much more readable there.