If you don’t want to configure routing for your login flow, you can just drop in a self-managing accounts screen.Wherever you want the accounts UI template to render, just include the Once you’ve identified which template you need to replace, define a new template.To validate an ID token using the claim, which indicates the hosted domain of the user.This can be used to restrict access to a resource to only members of certain domains.The absence of this claim indicates that the user does not belong to a G Suite hosted domain.After you have verified the token, check if the user is already in your user database.Then, on the server, verify the integrity of the ID token and use the user information contained in the token to establish a session or create a new account. A modified client application can send arbitrary user IDs to your server to impersonate users, so you must instead use verifiable ID tokens to securely get the user IDs of signed-in users on the server xhr = new XMLHttp Request(); xhr.open('POST', 'https://yourbackend.example.com/tokensignin'); Request Header('Content-Type', 'application/x-www-form-urlencoded'); xhr.onload = function() ; xhr.send('idtoken=' id_token);import com.client.oauth2. try: # Specify the CLIENT_ID of the app that accesses the backend: idinfo = id_token.verify_oauth2_token(token, requests.
If the user isn't yet in your user database, create a new user record from the information in the ID token payload, and establish a session for the user.
But the situation was not as simple as it seemed; since Mongo DB doesn’t have a concept of case-insensitive indexes, it was impossible to guarantee unique emails at the database level.
For this reason, we have some special APIs for querying and updating users which manage the case-sensitivity problem at the application level.
Request(), CLIENT_ID) # Or, if multiple clients access the backend server: # idinfo = id_token.verify_oauth2_token(token, requests.
Request()) # if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]: # raise Value Error('Could not verify audience.') if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']: raise Value Error('Wrong issuer.') # If auth request is from a G Suite domain: # if idinfo['hd'] !
= GSUITE_DOMAIN_NAME: # raise Value Error('Wrong hosted domain.') # ID token is valid.