Feature: Home Realm Discovery with multiple domains has a poor user experience due to the wrong param passed to Google (“hd=”).
Description: For Google Enterprise connections that use the “Home Realm Discovery” feature (i.e. multiple domains associated with that Google Enterprise connection) when the Identifier First flow is enabled, there is a bug that restricts people to the single Google Workspace Domain, which will often NOT be the domain of their actual email address they want to log in with, if they type in an email that wasn’t found, e.g. because they put in a typo, because Auth0 is passing the wrong hd= parameter when authorizing.
Specifically, per a chat w/an auth0 support rep, When the correct email is input into the Identifier First login box, there’s a 302 redirection to Google formatted like so:
Sign in - Google Accounts&response_type=code&redirect_uri=https%3A%2F%2Fauth.confirm.com%2Flogin%2Fcallback&scope=email%20profile&state=N3r2uHzoohliBd6qHPsJedQm50NxFd7c&client_id=355706728884-6p8holjn4vt3i5g08teg4ft9h028lbu0.apps.googleusercontent.com
If you review google’s documentation regarding the hd= parameter:
you’ll notice that it says:
“The hd (hosted domain) parameter streamlines the login process for G Suite hosted accounts. By including the domain of the G Suite user (for example, mycollege.edu), you can indicate that the account selection UI should be optimized for accounts at that domain. To optimize for G Suite accounts generally instead of just one domain, set a value of an asterisk (): hd=.”
The whole point of the multiple domains list for Home Realm Discovery is to allow this connection to be used across multiple domains. So if that field is populated, it should use “*” for the hd parameter instead of restricting to the Google Workspace Domain.
The user impact of this bug is that someone who accidentally has a typo in their email will get redirected to a Google login screen that restricts their domain to ONLY the Google Workspace Domain. But they are trying to log in with a different domain, as, again, the whole point of auth0’s Identity Provider domains feature for Home Realm Discovery is to enable multiple domains to use the same Google Enterprise connection for auth in the Identifier First experience.
Use-case: We have an app with a Google Enterprise connection that all of our clients use. We want people who enter their domain to go straight to this connection. If they type in their email exactly, there’s no problem. But if they have a typo, because the wrong hd= param is passed to auth0 (namely the Google Workspace Domain instead of “*”), instead of seeing on Google a text field that lets them type in any of the domains in the Home Realm Discovery Identity Provider domains list, it restricts them to the Google Workspace Domain.