You you are correct, I want to grant access to certain data based on which google organisation they belong to. I want to make sure that my assumption that a google organisation maps directly to a domain and it is not possible to authenticate via Auth0’s Google social login with a email address on the same domain that does not belong to that organisation.
To give some deeper background, I currently allow Google, GitHub and UsernamePassword auth. Each company creates their own space on my site and then manually invites their employees to that space. I want to allow a company to say that “anyone in my organisation logged in via Google is automatically added to the space”. I am worried that just checking the authprovider (
gooleauth2) and domain name opens it up to a hack by someone somehow creating a google account with that domain outside of that org.
I could go down the route of asking each of my customer organisations to setup and supply their own Google developer API authentication site and token. A lot of other websites do this, but I’m not sure that complexity is required and would be an extra hump for my end users. I am worried I am missing something that that alternate approach would give me over the simpler approach.