|
|
|
|
|
|
by radlad
514 days ago
|
|
|
>> I think certain service providers might have made the assumption that if a user belongs to a certain domain that also means they belong to a certain workspace, but that is clearly not a valid assumption. > If you need to validate that the ID token represents a Google Workspace or Cloud organization account, you can check the `hd` claim, which indicates the hosted domain of the user. This must be used when restricting access to a resource to only members of certain domains. The absence of this claim indicates that the account does not belong to a Google hosted domain. https://developers.google.com/identity/gsi/web/guides/verify... FWIW, I worked on SSO products for nearly 5 years and am pretty familiar with this space. |
|
|