Authenticate user with a specific hosted domain (hd) in Flask with Oauth2
The hd parameter can be set by appending it to the auth_uri
as follows
auth_uri = GOOGLE_AUTH_URIauth_uri = auth_uri + '?hd=' + 'example.com'auth_flow = OAuth2WebServerFlow(client_id=AUTH_CLIENT_ID, client_secret=AUTH_CLIENT_SECRET, scope=AUTH_PLUS_SCOPE, redirect_uri=AUTH_CALLBACK_URI, auth_uri=auth_uri, )
However in my experience the hd parameter does not restrict users with different email addresses from logging in. You should always validate the credentials.
def authenticate(code): try: credentials = _get_credentials(code) if not credentials.id_token['email'].endswith('@example.com') # abort(401) raise Unauthorized() user = User.get_or_create(credentials) login_user(user) except FlowExchangeError: raise Unauthorized()