23

My app was restricting logins by Oauth2 to specific domain like abc.com by specifying abc.com in the hd parameter in my request .Restrict Login Email with Google OAuth2.0 to Specific Domain Name but since these past few days its allowing anyone with a Google account login.I am sure i didn't change the code and even verified the result uri has my domain name specified in its hd parameter following this link instruction https://developers.google.com/identity/protocols/OpenIDConnect#hd-param .so cany any one tell me what i am doing wrong? here is my code 

     `redirect( uri : "https://accounts.google.com/o/oauth2/auth?" +
            "redirect_uri=${redirectUri}&" +
            "response_type=code&" +
            "client_id="${my_client_id}"& +
            "scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email" +
            "+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&" +
            "approval_prompt=auto&" +
            "hd=apposit.com")`
Cœur
  • 37,241
  • 25
  • 195
  • 267
  • 2
    I had the same situation, since a few weeks back the HD-parameter no longer restrict access to the specified domain. There was no change to the code, it just doesnt restrict access to the HD-parameter anymore... anyone know whats up? – sboss Jan 18 '16 at 14:12

1 Answers1

10

I dont know why this is happening,but you can add a second security mechanism besides hd by checking if the user email contains abc.com using java's contains() method or endsWith() which is more reliable before u allow the user to go any further in Your app.

But still this is a quick fix and others with a solution should answer this question

robel
  • 305
  • 3
  • 14