Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify email domain if HostedDomain (hd) is set #6

Open
bodhi opened this issue May 6, 2019 · 1 comment
Open

Verify email domain if HostedDomain (hd) is set #6

bodhi opened this issue May 6, 2019 · 1 comment

Comments

@bodhi
Copy link
Member

bodhi commented May 6, 2019

oidc2aws has a configuration parameter HostedDomain that will configure the hd value when opening the browser.

If this is set, oidc2aws should verify that the returned email address matches the value set in the configuration.

This is not a high-priority internally as the app we use for this is "Internal":

Only users with a Google Account in your organisation can grant access to the scopes requested by this app.

so Google takes care of this.
@bodhi
Copy link
Member Author

bodhi commented May 6, 2019

Recommended here:

https://developers.google.com/identity/work/it-apps

When you get an OpenID Connect assertion from Google, double check that the Google authentication service has confirmed it is an account controlled by the administrators of that domain name. This check is done server side by evaluating the hd field in the token to verify the domain is what you expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bodhi