I want to add a feature where users who log in using Google authentication can access data as long as the email address ends in the correct domain.
e.g. Anyone in the Acme Co company (@acme.com) is allowed access to the data. Is it sufficient to check that the current user logged in using Google Authentication (via the common google authentication setup in Auth0) and that the email address ends in @acme.com?
Rob
Not sure if I understood it correctly. Correct me if I’m wrong.
You can use the Email Domain Whitelist rule that will only allow access to users with specific email domains (while logging in). Is your case that you want everyone to login but then you want to grant access to certain data based on the email domain, is that correct?
You you are correct, I want to grant access to certain data based on which google organisation they belong to. I want to make sure that my assumption that a google organisation maps directly to a domain and it is not possible to authenticate via Auth0’s Google social login with a email address on the same domain that does not belong to that organisation.
To give some deeper background, I currently allow Google, GitHub and UsernamePassword auth. Each company creates their own space on my site and then manually invites their employees to that space. I want to allow a company to say that “anyone in my organisation logged in via Google is automatically added to the space”. I am worried that just checking the authprovider (gooleauth2) and domain name opens it up to a hack by someone somehow creating a google account with that domain outside of that org.
I could go down the route of asking each of my customer organisations to setup and supply their own Google developer API authentication site and token. A lot of other websites do this, but I’m not sure that complexity is required and would be an extra hump for my end users. I am worried I am missing something that that alternate approach would give me over the simpler approach.