Get "hd" Claim from Google Sign-in to Verify User Belongs to a Google Workspace or Cloud Organization Account

Overview

Users may register for Google Accounts without using Gmail or G Suite. To validate that the email field in the user profile represents a Google Workspace or Cloud organization account, this article will explain how to check the hd claim, which is available in the idp_tenant_domain property in the Auth0 user profile.

Applies To

  • Enterprise connection
  • Google connections
  • Auth0 user profile

Cause

Users may register for Google Accounts without using Gmail or G Suite. More details can be found in the following 3rd Party Security Blog: Google OAuth is Broken (Sort Of)

Solution

To validate that the email field in the user profile represents a Google Workspace or Cloud organization account, check the hd claim, which indicates the user’s hosted domain. This must be used when restricting access to a resource to only members of certain domains. The absence of this claim indicates that the account does not belong to a Google-hosted domain.

Using the email, email_verified, and hd fields, it is possible to determine if Google hosts and is authoritative for an email address.

Cases where Google is authoritative:

  • email has a @gmail.com suffix, this is a Gmail account.
  • email_verified is true and hd is set, this is a G Suite account.

Sometimes, it is possible to find that email_verified is true, as Google initially verified the user when the Google account was created; however, ownership of the third-party email account may have changed. When email does not contain a @gmail.com suffix, and hd is absent, Google is not authoritative, and password or other challenge methods are recommended to verify the user.

Now Auth0 maps the hd claim from Google into the idp_tenant_domain property in the Auth0 user profile. If the idp_tenant_domain is set with a domain in the Auth0 user profile, it means the hd claim with that domain was sent to Google. Use that value when restricting access to a resource to only members of certain Google domains.

User profile in Auth0: