5

We've recently introduced Google Single Sign-on to our platform. It works well, except for one issue. All our development branches are automatically assigned a url that looks something like https://{branch-name}.ourdomain.com. As of right now, we have to manually add the authorized origin for each environment, which is not scalable for us.

Is there a solution, such as an API we can use in our deployment process, that doesn't require us to authorize from the same origin for all our branches and doing a redirect dance? The ideal solution would be the wildcard solution where we could add https://*.ourdomain.com as an authorized origin, but that doesn't seem to be allowed in the Google Cloud Platform.

Christian
  • 195
  • 1
  • 2
  • 10

2 Answers2

3

There is no API for adding authorized origin dynamically in the Google console; it must be done manually. The OAuth engineering team is still evaluating the best way an API could be deployed as this carries many security risks that need to be properly assessed. JavaScript origins cannot contain certain characters including: Wildcard characters ('*') to ensure the security and privacy of accounts. You need to add the exact URIs the application is gonna use as JavaScript origins. Unfortunately, there is no good alternative workaround in regards to your use case, the only workaround is that you need to add each environment manually.

Note : There are several feature requests like Can't update Google Cloud Javascript Origin domains via API for this, but unlikely that will be implemented soon.

Refer Google API: Authorized JavaScript Origins for information.

Jyothi Kiranmayi
  • 2,090
  • 5
  • 14
0

Alternatively, you can redirect the user to the base domain which is registered in the google cloud console, and redirect back to the original site with the token post-authentication. Please take a look at this article. https://www.kcoleman.me/2016/12/28/wildcard-google-auth-for-multiple-subdomains.html

excitepv
  • 31
  • 6