0

I'm looking for some guidance and have had a hard time finding a straight answer via Google.

I am building a web app using Google Cloud Platform and Firebase and would like to grant users access to only their own subdomain. So for example, if user 1 is part of the organization Lakers, I would like the domain they use to be lakers.myapp.com. If user 2 is part of Bucks, their app would be hosted at bucks.myapp.com. When somebody who is not authorized visits one of these domains, they should not be able to view anything since they are not authorized under that subdomain (just like any normal web app). I have the login all set up and can redirect the user to their subdomain, but what is the process of checking that the user is authorized to view that subdomain?

If the answer has many parts, I would be happy to receive some links to resources on how to do this; I wanna be sure it's done right.

Caleb Waldner
  • 889
  • 8
  • 11
  • If I understood your question correctly then there are two parts, First part- Can we restrict users ( Identity ) based on the GCP domains , then answer is yes , Please see the [documentation-1](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains) for the details. For the second part - How do I lock down Firebase Database to any user from a specific (email) domain ? please see the [link -2](https://stackoverflow.com/questions/36943350/how-do-i-lock-down-firebase-database-to-any-user-from-a-specific-email-domain).Please let me know if this is helpful ? – Sohail Alvi Nov 07 '20 at 00:00
  • Thanks for the reply, these links are helpful. – Caleb Waldner Nov 09 '20 at 21:12

1 Answers1

0
  1. For the first part: (Can we restrict users ( Identity ) based on the GCP domains ?) , then answer is yes. The Resource Manager provides a domain restriction constraint that can be used in organization policies to limit resource sharing based on domain. This constraint allows you to restrict the set of identities that are allowed to be used in Identity and Access Management policies.

Organization policies can use this constraint to limit resource sharing to a specified set of one or more Google Workspace domains, and exceptions can be granted on a per-folder or per-project basis. For more information about adding exceptions, see Override the organization policy for a project.

  1. For the second part:(How do I lock down Firebase Database to any user from a specific email domain ?). If you're using the new Firebase this is now possible, since the email is available in the security rules.

In the security rules you can access both the email address and whether it is verified, which makes some great use-cases possible. With these rules for example only an authenticated, verified gmail user can write their profile, please see the Stackoverflow Link for more details.

Sohail Alvi
  • 380
  • 1
  • 6