Identifying an Authenticated Google User's “Work Account”
Question
We have an Learning Management System (LMS) which we roll out to organisations. All users reside under an "organisation account" of which there are a few thousand "organisation accounts" on our system.
One of our clients use Google as their main account/authentication system and so we are implementing OAuth2 as a means to provide Single Sign On for those clients.
I've created a Google Project for our platform and can successfully use Google to get a user to authenticate ( https://accounts.google.com/o/oauth2/auth ) in the standard way using the openid email profile scopes. Assuming the user authenticates with Google then I can get an Access Token back.
My problem however is that the list of claims that come back aren't enough for me to determine which Organisation the Google Account belongs to. I thought the "Hosted Domain" claim might uniquely identify the google account as being our client's work account however if the user logs in using an alias email address rather than the Work's "primary email" address then the hosted domain won't be correct.
I need a means of discovering which "Work Account" an authenticated Google Account belongs to so that I can map it to the right Organisation on my platform.
An example will help I think:
- Our client is called "ABC Ltd"
- They have a Google Work Account whereby everyone's primary email address (domain) is "...@abc.com". Users also have email aliases ("...@anotherdomain.com", "...@gmail.com" etc.)
- If a user authenticates as "john@abc.com", the "hosted domain" claim comes back as "abc.com" and we can identify both the User and the Work account (yay)
- However, if the authenticate with an email alias that they have such as "john@gmail.com" the hosted domain comes back as (blank) or "gmail.com" and not "abc.com". Nor do I seem to have access to their primary email address "john@abc.com" (fail).
Any suggestions on how I should discover the "Work Account" of the authenticated user? Some other "scope" to request? or a different API?
Thanks.
1 answers
solution1
0 2016-03-30 21:03:31
If a user authenticates as "john@abc.com", the "hosted domain" claim comes back as "abc.com" and we can identify both the User and the Work account (yay)
However, if the authenticate with an email alias that they have such as "john@gmail.com" the hosted domain comes back as (blank) or "gmail.com" and not "abc.com". Nor do I seem to have access to their primary email address "john@abc.com" (fail).
For "work accounts", a user can not get a gmail.com address as an alias. Gmail doesn't support this. john@abc.com and john@gmail.com are separate accounts. So the feature is working as designed. not sure where you got the "alias" information but what happens is that we support multi-login. A user can log-in into multiple accounts at the same time and switch easily between them. When they go through the Oauth approval first time, they can select the account they want. Next time, it depends on the oauth request parameters.
If you know the hosted domain of site where a user is trying to sign-in, you can pass that hd=abc.com to google auth requests and the right account will get selected.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.