Google-oauth2 social connection strips out login_hint

We are implementing Google One tap login in our application. If the user is logged in multiple accounts with Google, we want to avoid presenting the account selection twice. This can be accomplished when using the login_hint parameter and it works perfectly for “@gmail.com” emails; when the email is not a Gmail one, Auth0 removes the login_hint parameter when it redirects to Google, causing the account selection screen to be presented.

# When using a @gmail.com account, login_hint is present on the redirection
$ curl -v "https://mydomain.us.auth0.com/authorize?client_id=myclient-id&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fmyapp.com%2Fcallback&connection=google-oauth2&login_hint=john.doe%40gmail.com" 2>&1 | grep -e $'< HTTP\nlocation' -
< HTTP/2 302 
< location: https://accounts.google.com/o/oauth2/auth?login_hint=john.doe%40gmail.com&response_type=code&redirect_uri=https%3A%2F%2Fmydomain.us.auth0.com%2Flogin%2Fcallback&scope=email%20profile&state=auth-state&client_id=my-google-client-id
  
# Otherwise, it gets removed from the redirection URL
$ curl -v "https://mydomain.us.auth0.com/authorize?client_id=myclient-id&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fmyapp.com%2Fcallback&connection=google-oauth2&login_hint=john.doe%40company.com" 2>&1 | grep -e $'< HTTP\nlocation' -
< HTTP/2 302 
< location: https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=https%3A%2F%2Fmydomain.us.auth0.com%2Flogin%2Fcallback&scope=email%20profile&state=auth-state&client_id=my-google-client-id

We have the same problem.

Hi @rockchild,

I understand you are having issues with Google social connection not keeping the login_hint. I’ve reached out to the engineering team. It seems there’s no real way to go around this problem using the social connection.

This behavior is by design in response to a vulnerability identified by our security team. Allowing any domain to be forwarded to the Google AuthZ server leaves the user open to account takeover, if a malicious actor has a registered Google Workspace SSO domain with Third-Party IdP enabled.

For this reason using a “@company.com ” domain requires use of the Google Enterprise connection, not the social connection. We limit the login_hint for the social connection to the gmail domain.

Please let me know if you have any further questions.

Thank you.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.